Bug #4545
closed
dynDNS service 'selfhost' fails certificate validation
0%
Description
Since pfSense Update 2.2 and 2.2.1 it seems that the dynamic DNS update for the service provider 'selfhost' is broken. I always got the error message:
Curl error occurred: bind failed with errno 47: Address family not supported by protocol family
My two other providers (No-IP and FreeDNS) works without any problems (see screenshot). Here is a snippet from the syslog:
Mar 22 15:22:48 php-fpm[13175]: /rc.dyndns.update: Curl error occurred: bind failed with errno 47: Address family not supported by protocol family
Mar 22 15:22:47 php-fpm[13175]: /rc.dyndns.update: phpDynDNS (xxxx.strangled.net): (Success) IP Address Changed Successfully!
Mar 22 15:22:47 php-fpm[13175]: /rc.dyndns.update: phpDynDNS: updating cache file /conf/dyndns_wanfreedns'xxxx.strangled.net'2.cache: 93.219.54.196
Mar 22 15:22:44 php-fpm[13175]: /rc.dyndns.update: phpDynDNS (xxxx.no-ip.biz): (Success) DNS hostname update successful.
Mar 22 15:22:44 php-fpm[13175]: /rc.dyndns.update: phpDynDNS: updating cache file /conf/dyndns_wannoip'xxxx.no-ip.biz'1.cache: 93.219.54.196
When I try to enable verbose logging on the edit page for this service, I got some more messages and quite another error message:
Mar 22 17:01:52 php-fpm[2687]: /services_dyndns_edit.php: Curl error occurred: SSL certificate problem: unable to get local issuer certificate
Mar 22 17:01:52 php-fpm[2687]: /services_dyndns_edit.php: DynDNS (xxxx.selfhost.eu): Current Service: selfhost
Mar 22 17:01:52 php-fpm[2687]: /services_dyndns_edit.php: DynDNS (xxxx.selfhost.eu): DynDns _checkStatus() starting.
Mar 22 17:01:50 check_reload_status: Syncing firewall
Mar 22 17:01:50 php-fpm[2687]: /services_dyndns_edit.php: SelfHost: DNS update() starting.
Mar 22 17:01:50 php-fpm[2687]: /services_dyndns_edit.php: DynDNS (xxxx.selfhost.eu): DynDns _update() starting.
Mar 22 17:01:50 php-fpm[2687]: /services_dyndns_edit.php: DynDns (xxxx.selfhost.eu): 93.219.54.196 extracted from local system.
Mar 22 17:01:50 php-fpm[2687]: /services_dyndns_edit.php: DynDns: updatedns() starting
Same error on a fresh installation of pfSense 2.2.1.
Can anybody confirm this issue?
Are there any known workarounds at this time?
Kind regards,
routerfreak
Files
Updated by Phillip Davis about 9 years ago
Are you able to try it again with pfSense 2.1.5?
It would be good to know if it is something that changed with the provider about the time of pfSense 2.2 release or if it really is a pfSense change in behavior.
Updated by Willy Tenner about 9 years ago
I also thought about a short downgrade to test it ;-) but ... my whole family will kill me if I touch the router any more this weekend. Maybe I find a timeslot in the next days. It's a real machine with nanobsd. I have to flash another CF card with a fresh 2.1.5 and restore my old config from 2.1.5.
I've used 2.1.5 with DynDNS provider 'selfhost' until 18-MAR-2015 without any issues. I think it will be very unlikely that 'selfhost' is changing its behavior while I am upgrading my router to 2.2.1.
Updated by Kill Bill about 9 years ago
They have a wildcard certificate for .selfhost.*de used on .selfhost.*eu. No wonder it does not work. Not really any pfSense bug.
Updated by Willy Tenner about 9 years ago
@Phillip:
Just installed a virtual test environment with VMware:
With pfSense 2.1.5 i386 dyndns update definitely works with provider 'selfhost': No errors, only success.
With pfSense 2.2.1 i386 it works not. Same error:
Mar 23 09:36:59 php-fpm[249]: /services_dyndns_edit.php: Curl error occurred: SSL certificate problem: unable to get local issuer certificate
Updated by Kill Bill about 9 years ago
Yes, 2.1.x does not check the certificates.
Updated by Willy Tenner about 9 years ago
I just opened a case at 'Selfhost' and sent them the link of this thread too. Will give you a feedback when I get any news.
Updated by Willy Tenner about 9 years ago
News:
Here is a short summary of the answers from the provider:
Host carol.selfhost.de is the update host of provider 'selfhost' used for updating the IPs. The certificate used is NOT a wildcard certificate. (BTW why should be there a problem with wildcards: RFC 2818 ("HTTP Over TLS") is explicitely specifying it: "Names may contain the wildcard character * which is considered to match any single domain name component or component fragment."
The certificate was issued by Thawte in July 2013. Renewed on March, 24th 2015 and swapped from SHA-1 to SHA-2.
The certificate chain is not broken. You can proof it on a current Ubuntu system:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-44-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Wed Mar 25 20:44:29 2015 from 172.16.48.3
root@blues:~# openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect carol.selfhost.de:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify return:1
depth=0 CN = carol.selfhost.de
verify return:1
---
Certificate chain
0 s:/CN=carol.selfhost.de
i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=carol.selfhost.de
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4194 bytes and written 503 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B426B75ED9E6C8B0E9DDEE40D29CE1B52B4A666F8B36B48B5F609A9F4CA97A32
Session-ID-ctx:
Master-Key: 594D354504883DA939B727001FE06130CEB6984F65FB45C7D45F997977AFBFCE694CA281427C4446594FB61B3A850276
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1427358478
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
On pfSense there seems to be a problem with the Root Certificate of Thawte. It is not found in the default CA Bundle of pfSense:
[2.2.1-RELEASE][admin@pfsense.sm.art]/root: openssl s_client -connect carol.selfhost.de:443 CONNECTED(00000004) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=carol.selfhost.de i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com --- Server certificate [...]
Please help to get dyndns updater running again with 'selfhost'. If anything is wrong with the certificate please tell me.
Updated by Chris Buechler about 9 years ago
- Subject changed from dynDNS update for service 'selfhost' is broken since pfSense 2.2 to dynDNS service 'selfhost' fails certificate validation
- Category set to Dynamic DNS
- Status changed from New to Confirmed
- Target version set to 2.2.2
There's no problem with wildcard certs (if they're for the correct domain, of course).
2.2 enabled SSL certificate verification for this service, which I only checked by loading the URL in Chrome to verify it validated. OpenSSL is more strict than Chrome in some of these bad configurations though.
From a Linux host where wget ignores the chain issue and succeeds, openssl fails.
$ openssl s_client -connect carol.selfhost.de:443 CONNECTED(00000004) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0
OpenSSL fails in this case because they have a chain issue with extra certs.
https://www.ssllabs.com/ssltest/analyze.html?d=carol.selfhost.de&s=82.98.87.18
Willy: if you can show them that ssllabs link, hopefully they can fix that chain problem and that will fix this issue. Otherwise, I'll disable cert verification for selfhost and that will work around it.
Updated by Chris Buechler about 9 years ago
- Affected Architecture added
- Affected Architecture deleted (
i386)
Updated by Chris Buechler about 9 years ago
- Status changed from Confirmed to Resolved
- Affected Version changed from 2.2.1 to 2.2
I disabled validation for selfhost since they still have a chain problem that openssl rejects. If/when they fix that, let us know and we'll re-enable certificate validation.
Updated by Willy Tenner about 9 years ago
Hi Chris,
in short term: They fixed it!
Long term explanation:
The provider Selfhost has used a "cross-root cert" in his cert chain which was used to ensure legacy applications continue to trust Thawte certificates. This cert was named "Root 2" by Thawte with the following hints from Thawte:
"It is intended to be the primary root used for these products until mid 2010 when Thawte transitions to using a 2048 bit root. After that transition this root will be used as part of a cross certification to ensure legacy applications continue to trust Thawte certificates and must continue to be included in root stores by vendors. Vendors should not plan on removing support for this root until officially advised that the root is no longer needed to support certificates or CRL validation."
For whatever reason the installed CA-bundle "ca-root-nss.crt" in pfSense does not contain this cross-root certificate. Contrary to the advice from Thawte the provider Selfhost has removed this cross-root cert from his cert chain now:
openssl s_client -connect carol.selfhost.de:443 -CAfile /usr/local/share/certs/ca-root-nss.crt
CONNECTED(00000004)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify return:1
depth=0 CN = carol.selfhost.de
verify return:1
---
Certificate chain
0 s:/CN=carol.selfhost.de
i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=carol.selfhost.de
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3094 bytes and written 505 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 98093229838D7145593136571F80FAAAEF4188EBEE93DA9A0693C129E4A0A62F
Session-ID-ctx:
Master-Key: BE84C7A3A3BB3945128D2AA428D8BA261DBF764BDFF467253711105EBE3471C8932C7653E63A92CB053A04FE9B9B349A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1428927249
Timeout : 300 (sec)
Verify return code: 0 (ok)
In pfSense 2.2.1 the dyndns updater now works perfectly for selfhost:
php-fpm[73255]: /services_dyndns_edit.php: phpDynDNS: (Success) IP Address Changed Successfully!Please re-enable cert verification for Selfhost in pfSense 2.2.2 again. Thank you very much for your support.
Updated by Chris Buechler about 9 years ago
- Target version changed from 2.2.2 to 2.2.3
Thanks, it's been re-enabled (though this came through after 2.2.2-RELEASE was already completed and in testing, so not until 2.2.3)