Re: DDNS Update over https (ssl cert problem)

sf_online · ‎10-20-2009

Hello,

I tryed to setup that my c836 router use https to send host updates crypted to members.dyndns.org but it will not work.

I used the following howto:

http://www.dyndns.com/support/kb/configuring_cisco_https.html

and selected the Root 4 - Equifax Secure eBusiness CA-1 (Base-64 encoded X.509) to copy / paste from http://www.geotrust.com/resources/root-certificates/ to my router.

show debugging

Dynamic DNS debugging is on

SSL Subsystem:

SSL Handshake Message debugging is on

SSL Error debugging is on

SSL Event debugging is on

That give me the following output:

------------------------------------

File ../crypto/ssl/src/sslhdshk.c; Line 212 # Error -1006 [SSLPKICertValidationErr]

File ../crypto/ssl/src/sslhdshk.c; Line 257 # Error -1006 [SSLPKICertValidationErr]

File ../crypto/ssl/src/sslhdshk.c; Line 113 # Error -1006 [SSLPKICertValidationErr]

File ../crypto/ssl/src/ssltrspt.c; Line 369 # Error -1006 [SSLPKICertValidationErr]

File ../crypto/ssl/src/ssltrspt.c; Line 270 # Error -1006 [SSLPKICertValidationErr]

File ../crypto/ssl/src/ssltrspt.c; Line 250 # Error -1006 [SSLPKICertValidationErr]

00:46:24: DYNDNSUPD: Adding DNS mapping for xxx.homedns.org <=> x.x.x.x

00:46:24: HTTPDNS: Update add called for xxx.homedns.org <=> x.x.x.x

00:46:24: HTTPDNSUPD: Session ID = 0xB

00:46:24: HTTPDNSUPD: URL = 'https://user:pass@members.dyndns.org/nic/update?hostname=xx.homedns.org'

00:46:24: HTTPDNSUPD: Sending request

00:46:24: SSL Client Initialization Successful.

00:46:24: SSL: client hello encoded successfully.

00:46:24: SSL: write record: type: ssl handshake.

01 00 00 2F 03 00 4A DE 6A A6 3F 1E B1 BE A0 98

65 4A 76 B9 92 86 47 DB 96 E6 F3 F2 37 D4 8C 80

0E 2A 82 BF 84 48 00 00 08 00 04 00 05 00 0A 00

09 01 00

00:46:24: SSL: read record: type: ssl handshake.

02 00 00 46 03 00 4A DE 6A A6 6B F3 33 FB 80 FD

13 9D 35 01 CB C3 B5 AB 32 6C DB C3 6A 1E 51 6E

F0 17 E4 93 A8 FC 20 21 E4 27 39 C6 C0 4D 00 B9

AE FB 6D 04 91 4B BD 86 20 FD 39 C1 9E 01 9A 71

E5 72 78 81 A1 3A 19 00 04 00

00:46:24: SSL: process server_hello

00:46:24: SSL: server hello processed successfully.

sf_online · ‎10-20-2009

00:46:24: SSL: read record: type: ssl handshake.

0B 00 03 46 00 03 43 00 03 40 30 82 03 3C 30 82

02 A5 A0 03 02 01 02 02 03 0A 8E A2 30 0D 06 09

2A 86 48 86 F7 0D 01 01 05 05 00 30 4E 31 0B 30

09 06 03 55 04 06 13 02 55 53 31 10 30 0E 06 03

55 04 0A 13 07 45 71 75 69 66 61 78 31 2D 30 2B

06 03 55 04 0B 13 24 45 71 75 69 66 61 78 20 53

65 63 75 72 65 20 43 65 72 74 69 66 69 63 61 74

65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 30

39 30 31 32 39 31 39 31 30 31 31 5A 17 0D 31 30

30 33 30 31 31 39 31 30 31 31 5A 30 81 C6 31 0B

30 09 06 03 55 04 06 13 02 55 53 31 1B 30 19 06

03 55 04 0A 13 12 6D 65 6D 62 65 72 73 2E 64 79

6E 64 6E 73 2E 6F 72 67 31 11 30 0F 06 03 55 04

0B 13 08 38 30 34 30 31 33 36 37 31 31 30 2F 06

03 55 04 0B 13 28 53 65 65 20 77 77 77 2E 67 65

6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75

72 63 65 73 2F 63 70 73 20 28 63 29 30 39 31 37

30 35 06 03 55 04 0B 13 2E 44 6F 6D 61 69 6E 20

43 6F 6E 74 72 6F 6C 20 56 61 6C 69 64 61 74 65

64 20 2D 20 51 75 69 63 6B 53 53 4C 20 50 72 65

6D 69 75 6D 28 52 29 31 1B 30 19 06 03 55 04 03

13 12 6D 65 6D 62 65 72 73 2E 64 79 6E 64 6E 73

2E 6F 72 67 30 81 9F 30 0D 06 09 2A 86 48 86 F7

0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81

00 98 ED F7 8B AE A9 1E AC DC 22 84 61 82 09 43

72 2D 04 12 E5 1A 16 99 EF 72 7B 7A 1C 1F E0 86

EA 4D 64 D6 D2 74 9C 44 A3 9D 36 BF C0 F8 C1 3F

FC 30 D8 E9 90 FD 20 D8 93 2F CB D5 37 29 BF F7

E7 7B C7 50 99 D9 95 F9 95 72 DA ED DD 1F 7D 40

95 D3 7A D9 0D 98 F6 09 E0 7F 65 2E 23 53 86 A8

57 4E D7 16 B4 CF E5 D7 D8 6A 3E EB 4D CB 29 67

E9 10 A3 3C 05 88 E7 5D B9 F7 C3 5E FB A5 05 4C

4F 02 03 01 00 01 A3 81 AE 30 81 AB 30 0E 06 03

55 1D 0F 01 01 FF 04 04 03 02 04 F0 30 1D 06 03

55 1D 0E 04 16 04 14 72 6A EB 0D BB C8 EB BE BE

2B B6 A5 59 DD D4 D4 31 3D 80 15 30 3A 06 03 55

1D 1F 04 33 30 31 30 2F A0 2D A0 2B 86 29 68 74

74 70 3A 2F 2F 63 72 6C 2E 67 65 6F 74 72 75 73

74 2E 63 6F 6D 2F 63 72 6C 73 2F 73 65 63 75 72

65 63 61 2E 63 72 6C 30 1F 06 03 55 1D 23 04 18

30 16 80 14 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23

20 10 4F 33 98 90 9F D4 30 1D 06 03 55 1D 25 04

16 30 14 06 08 2B 06 01 05 05 07 03 01 06 08 2B

06 01 05 05 07 03 02 30 0D 06 09 2A 86 48 86 F7

0D 01 01 05 05 00 03 81 81 00 37 6B 1E 31 A8 F1

47 F8 25 D9 D8 8D C2 ED E6 F5 EC 53 48 71 E1 40

6C B6 6E B0 67 88 4E 8B 3B 46 0E 3C 0D AB A8 3A

09 DC B0 50 31 FF 6D B8 A8 E1 C5 42 D5 52 0E DF

AC E5 3A C6 24 12 D8 E6 3F CF F5 05 6C 35 38 C6

9D B6 F2 15 18 CA 8D BF 46 01 8C 33 13 36 C1 BE

FF 66 39 2C E9 91 FD C6 B0 A2 B0 B0 74 27 56 61

0E E5 29 13 30 02 FD A3 DA 8E A0 D1 13 ED 14 13

AD 1F D8 10 D7 F5 1D E4 30 6A

00:46:24: SSL: process certificate

00:46:24: CRYPTO_SSL crypto_ssl_nonblocking_checkcert: Cert validation failed within PKI!

00:46:24: CRYPTO_SSL crypto_ssl_nonblocking_checkcert: The returned error code from PKI is -1006!

00:46:24: SSL: write record: type: ssl alter 02 00

00:46:24: HTTPDNSUPD: Call returned Request Aborted for update xx.homedns.org <=> x.x.x.x

00:46:24: DYNDNSUPD: Another update completed (outstanding=0, total=0)

00:46:24: HTTPDNSUPD: Clearing all session 11 info

can anyone help me please to get this fixed? i am not sure where i can start to get this working^^

Thanks!

sf_online · ‎11-25-2009

Is nobody here who can help please? ^^

BRIAN SEKLECKI · ‎01-26-2014

I confirm similar behavior...need to be able to configure the SSL client to force accept:

004363: Jan 26 03:29:41.876 EST5EDT: 0:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_clnt.c:1048:

BRIAN SEKLECKI · ‎01-26-2014

Here is a copy my blog post on the topic...

I got aroud the issue with HTTPs in the DDNS client by manually creating a trustpoit and importing the certificate of the signing cert used on the HTTPs/Apache service on my domain provider (PairNIC)'s web service

----

Here is a simple guide of how to integrate your Cisco IOS router platform with your PairNIC-managed domain name.

This is a useful if you are buying commodity broadband connectivity from a hetergenous selection of regional service providers that use DHCP on a bridged ethernet WAN (Verizon FIOS, Comcast broadband, Consolidated Communications metro ethernet)

As you can see below, PairNIC makes-available a REST-style HTTP WebServices URL that you can pass simple GET-style calls to with the HTTP client in Cisco IOS routers.

NOTE: The password field below is not your PairNIC password, but instead, a dynamic key that is generated when you turn on Custom DNS for your domain and enable dynamic updates

NOTE: PairNIC domains are supported. Pair.com-managed-domains are not supported.

This works out, because you likely want to have a separate domain name for WAN DDNS updates

NOTE: You do not need to have an A-record in place already, despite the ambiguously named '/update' method-call below, it will actually create records on-demand.

NOTE: I'm not sure if there is an erase/delete/destroy/remove function call -- Waiting to hear back from Pair

--------------------

br00>sh ver

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)

br00# conf t

ip ddns update method PairNIC

HTTP

add https://[PairNIC-Customer-Name]:[Domain-DDNS-Key-from-PairNIC.com]@dynamic.pairnic.com/nic/update?hostname=&myip=

!

interface GigabitEthernet0/1

description WAN Facing ISP

ip dhcp client client-id ascii hostname.domain.tld

! These two are likely to be ignored by your ISP's DHCP Server

! But useful to demonstrate how you could have an Cisco IOS

! DHCP server dispatch requests from Cisco IOS DHCP Clients

! in a enterprise network

ip dhcp client hostname hostname.domain.tld

ip dhcp client update dns server both

! This

ip ddns update hostname hostname.domain.tld

ip ddns update PairNIC host hostname.domain.tld

ip address dhcp

ip flow ingress

ip nat outside

ip inspect CBAC-IN-OUT out

ip virtual-reassembly in

ip access-class BogonOutside in

duplex auto

speed auto

ipv6 enable

no cdp enable

crypto map MyMap-DYMMAP

Turn on DDNS debugging to see the DDNS HTTP client functional steps:

router# debug ip ddns update

Dynamic DNS debugging is on

Force a release and renewal on your WAN interface (or VLAN)

br00#release dhcp gi0/1

br00#renew dhcp gi0/1

Turn on debugging to see the DDNS HTTP Client functional:

004017: Jan 26 03:09:06.110 EST5EDT: HTTPDNS: Update add called for br00.facilityCode.company.tld <=> 209.166.123.123

004018: Jan 26 03:09:06.110 EST5EDT: HTTPDNSUPD: Session ID = 0xE

004019: Jan 26 03:09:06.110 EST5EDT: HTTPDNSUPD: URL = 'https://FOO:BAR@dynamic.pairnic.com/nic/update?hostname=br00.facilityCode.company.tld&myip=209.166.123.123 BAR@dynamic.pairnic.com/nic/update?hostname=br00.facilityCode.company.tld&myip=209.166.123.123'

NOTE: At this point, we see the HTTP CURL/WGET client in Cisco IOS doing what it _should_ do -- however, it will fail because the SSL Library in IOS (OpenSSL) doesnt ship with a proper set of trusted root CA Certificates

To fix(*) this, we simply import and explicitly-trust the certificate that signed the SSL cert used on PairNIC's cert for 'dynamic.pairnic.com'

(*) Its more of a cheap hack. Cisco can fix by shipping a CA Cert Chain with OCSP/CRL enabled by default.

br00# conf t

br00(conf)# no crypto pki trustpoint CA-AddTrust-UserTrust

br00(conf)# crypto pki trustpoint CA-AddTrust-UserTrust

enrollment terminal pem

revocation-check none

crl optional

br00(ca-trustpoint)#crypto pki authenticate CA-AddTrust-UserTrust

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

[PEM Certificate here -- see below for openssl(1) command to extract on UNIX]

Trustpoint 'CA-AddTrust-UserTrust' is a subordinate CA and holds a non self signed cert

Certificate has the following attributes:

Fingerprint MD5: F2CB531D 39AA97FF 39900B79 1319ABD4

Fingerprint SHA1: 10189D78 180A33A9 DF7219F0 6D15FC86 5C9A6160

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

And here is functional real-world example of this working:

004675: Jan 26 03:51:25.780 EST5EDT: DYNDNSUPD: Adding DNS mapping for test.probikesllc.biz <=> 192.168.15.167 server 216.151.95.152

004676: Jan 26 03:51:25.780 EST5EDT: HTTPDNS: Update add called for test.probikesllc.biz <=> 192.168.15.167

004677: Jan 26 03:51:25.780 EST5EDT: HTTPDNSUPD: Session ID = 0x11

004678: Jan 26 03:51:25.780 EST5EDT: HTTPDNSUPD: URL = 'https://[FOO]:[BAR]@dynamic.pairnic.com/nic/update?hostname=test.probikesllc.biz&myip=192.168.15.167'

004679: Jan 26 03:51:25.780 EST5EDT: HTTPDNSUPD: Sending request

004680: Jan 26 03:51:26.652 EST5EDT: opssl_SetPKIInfo entry

004681: Jan 26 03:51:26.652 EST5EDT: opssl_SetPKIInfo done.

004682: Jan 26 03:51:27.140 EST5EDT: opssl_SetPKIInfo entry

004683: Jan 26 03:51:27.144 EST5EDT: opssl_SetPKIInfo done.

004684: Jan 26 03:51:28.532 EST5EDT: HTTPDNSUPD: Response for update test.probikesllc.biz <=> 192.168.15.167

004685: Jan 26 03:51:28.532 EST5EDT: HTTPDNSUPD: DATA START

good 192.168.15.167 <----!! HTTP 2xx Code returns single line

004686: Jan 26 03:51:28.532 EST5EDT: HTTPDNSUPD: DATA END, Status is Response data recieved, successfully

004687: Jan 26 03:51:28.532 EST5EDT: HTTPDNSUPD: Call returned SUCCESS, update of test.probikesllc.biz <=> 192.168.15.167 succeeded

004688: Jan 26 03:51:28.532 EST5EDT: DYNDNSUPD: Another update completed (outstanding=0, total=0)

004689: Jan 26 03:51:28.536 EST5EDT: HTTPDNSUPD: Clearing all session 17 info

004690: Jan 26 03:51:29.544 EST5EDT: DHCP: Client socket is closed

004691: Jan 26 03:51:33.464 EST5EDT: DHCPD: checking for expired leases.

$ openssl s_client -showcerts -host dynamic.pairnic.com -port 443

-----BEGIN CERTIFICATE-----

MIIE/zCCA+egAwIBAgIQZGN9fqrQa65AVz1hK2fc9jANBgkqhkiG9w0BAQUFADBv

MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk

ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF

eHRlcm5hbCBDQSBSb290MB4XDTEwMDQxNjAwMDAwMFoXDTIwMDUzMDEwNDgzOFow

gYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK

ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMTIwMAYD

VQQDEylVU0VSVHJ1c3QgSGlnaC1Bc3N1cmFuY2UgU2VjdXJlIFNlcnZlciBDQTCC

ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6MzZglkPqv+uBYSaD8PBfo

WS0TmAuGqzjXcfBzD9b6rlV6yMRKgWyC8OO4TDTnwPWwxiJZZTXHg5G2/eXKzAOB

MMlfKsqmz04U8BefeQVRwLp2pzEMpFiGC/Xcz1RXZpVtS2FXkeGChKOTVy1PzIpG

7Ng5rmwDbacQ+gENZm08qoefd7WYJtGAq2/ddf2IHPg6xSmtnYU7pTluzjAs9QsA

ACsX6zD18H0ItznMqL0FwZIkk9ZnyhWjc5pmo8RyKBslxupC0SGIUffkYYt0zDct

vg0bUmLp2Ody9+isYcCydt8M92Gzkb4hfdBKlaEYiXjD5Da3wIAmUAzNFvYZWlUC

AwEAAaOCAXcwggFzMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0G

A1UdDgQWBBRT6FMyCZPaxo7B7Ut2No/A8uZqdDAOBgNVHQ8BAf8EBAMCAQYwEgYD

VR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5

oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxD

QVJvb3QuY3JsMIGzBggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDov

L2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkG

CCsGAQUFBzAChi1odHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5T

R0NDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20w

DQYJKoZIhvcNAQEFBQADggEBABrrxypN7zC2awXPu3GFXvAI4CLEOx03RKf3vsZq

CaGZMfVfID79oJosLqulp1/3A/g6O2z5chBoP3iGjGuBQokfs9vbdyf8BWRMJhlW

pHsFGU7hGm4jKQ4/xuXn9tl3hUZRfdUKEYZgwNpxK3BU4TQ+cpvvgW8FoeXo9L1J

oDJFXTlItp8yVEUDwtCOxX16+U3kDFCADm/HUs19nQHtlqMkh94umU0KTtJFRHgw

qs6xdRhimRjOKLeQBRMcNxaCd0iNa6dMHUtOq9eM1V0i699L3+5VTPVK5tDbM3eF

fhkMMTS4Zabcp7rnCcJUXjpzvBpczMGWTWHh3aaBcn7dADk=

-----END CERTIFICATE-----

Sam Brynes · ‎04-07-2020

Which certificate did you import? The root CA, subordinate CA, or the certificate that was actually issued to the HTTPS site?