Project

General

Profile

Actions

Bug #12589

closed

Dynamic DNS updates do not respect certificate authority trust store

Added by Daniel Engel 5 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Dynamic DNS
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

I use a "Custom" DDNS service to register my dynamic home IP address as a subdomain of my dedicated server domain (static IP address). I administer both ends of the DDNS system.

I created a local pfSense CA and then used it to sign a certificate that I then installed on my web server. The Trust Store option (Add this Certificate Authority to the Operating System Trust Store) in the pfSense CA entry is checked (yes). However, the DDNS update returns an error: "rc.dyndns.update: Curl error occurred: SSL certificate problem: unable to get local issuer certificate"

Investigating, I found my custom CA was added to the Trust Store (in /etc/ssl/certs/b1f33eb6.0), but curl-config --ca points elsewhere: /usr/local/share/certs/ca-root-nss.crt

I have a workaround by setting CURLOPT_CAPATH:

--- dyndns.class.old    2021-05-28 04:35:21.000000000 -0700
+++ dyndns.class        2021-12-13 15:01:34.967570000 -0800
@@ -946,6 +946,7 @@
                                                }
                                                if ($this->_curlSslVerifypeer) {
                                                        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
+                                                       curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
                                                } else {
                                                        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
                                                }

However, I am not sure this workaround is a true fix, since I think this option completely changes the search path (rather than appending).

Actions #2

Updated by Jim Pingle 5 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to 2.6.0
  • Plus Target Version set to 22.01
Actions #3

Updated by Viktor Gurov 5 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle 5 months ago

  • Subject changed from DDNS service does not use local CA to Dynamic DNS updates do not respect certificate authority trust store

Updating subject for release notes.

Actions #5

Updated by Marcos Mendoza 5 months ago

Do we know if the path is replaced rather than appended to? Is it an issue?

Actions #6

Updated by Viktor Gurov 5 months ago

Marcos Mendoza wrote in #note-5:

Do we know if the path is replaced rather than appended to? Is it an issue?

It's appended to the default /etc/ssl/cert.pem store (CURLOPT_CAINFO), and only for Custom/Custom (v6) providers

Actions #7

Updated by Jim Pingle 3 months ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF