Adding SSL cert chain for duckdns.org dynamic DNS updates to Cisco IOS trusted cert store
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2017 09:20 PM - edited 03-05-2019 09:30 AM
I am using a free dynamic DNS (DDNS) updating service called Duck DNS (duckdns.org). The URL I'm using to trigger DDNS updates from the router is:
https://www.duckdns.org/update?domains=<h>&token=<REMOVED>&ip=<a>&verbose=true
AFAIK, Cisco IOS replaces <h> with the DDNS hostname to update and <a> with the current IP address.
I enabled dynamic DNS update debugging, and it looks like the router is attempting to trigger the update, but when I log into my account on duckdns.org, the IP is not being updated.
I believe there's an issue with Cisco IOS not trusting the SSL certificate at https://www.duckdns.org.
Can someone please help me walk through how I can add the entire SSL certificate chain to the Cisco router so that it will trigger DDNS updates properly? I am using a Cisco 1921 ISR router running
15.4(3)M8. I looked at the cert chain for https://www.duckdns.org, and it looks like there's a root CA (Starfield), a subordinate CA, and the cert for https://www.duckdns.org.
Here are the logs:
router#show debug
Dynamic DNS debugging is on
Cryptographic Subsystem:
Crypto Engine Error debugging is on
PKI:
Crypto PKI Msg debugging is on
Crypto PKI Trans debugging is on
verbose debug output debugging is on
router#
Nov 19 2017 22:16:16.361 MST: DYNDNSUPD: Adding DNS mapping for <host>.duckdns.org <=> <IP>
Nov 19 2017 22:16:16.361 MST: HTTPDNS: Update add called for <host>.duckdns.org <=> <IP>
Nov 19 2017 22:16:16.361 MST: HTTPDNSUPD: Session ID = 0xF2
Nov 19 2017 22:16:16.361 MST: HTTPDNSUPD: URL = 'https://www.duckdns.org/update?domains=<HOSTNAME>&token=<TOKEN>&ip=<IP>&verbose=true'
Nov 19 2017 22:16:16.361 MST: HTTPDNSUPD: Sending request
Nov 19 2017 22:16:16.573 MST: CRYPTO_PKI: (A03DA) Session started - identity selected (TP-self-signed-2092446490)x
Nov 19 2017 22:16:16.573 MST: CRYPTO_PKI: Rcvd request to end PKI session A03DA.
Nov 19 2017 22:16:16.573 MST: CRYPTO_PKI: PKI session A03DA has ended. Freeing all resources.
Nov 19 2017 22:16:16.573 MST: CRYPTO_PKI: unlocked trustpoint TP-self-signed-2092446490, refcount is 0
Nov 19 2017 22:16:16.685 MST: CRYPTO_PKI: (A03DB) Session started - identity not specified
Nov 19 2017 22:16:16.689 MST: CRYPTO_PKI: Added x509 peer certificate - (1371) bytes
Nov 19 2017 22:16:16.689 MST: CRYPTO_PKI: Added x509 peer certificate - (1284) bytes
Nov 19 2017 22:16:16.689 MST: CRYPTO_PKI: Added x509 peer certificate - (1188) bytes
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: Added x509 peer certificate - (1043) bytes
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 491
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: (A03DB)validation path has 1 certs
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: Unable to locate cert record by issuername
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: destroy ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 491
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: Rcvd request to end PKI session A03DB.
router#
Nov 19 2017 22:16:16.693 MST: CRYPTO_PKI: PKI session A03DB has ended. Freeing all resources.
Nov 19 2017 22:16:16.693 MST: HTTPDNSUPD: Call returned Request Aborted, update of <HOSTNAME><=> <IP> failed
Nov 19 2017 22:16:16.693 MST: DYNDNSUPD: Another update completed (outstanding=0, total=0)
Nov 19 2017 22:16:16.697 MST: HTTPDNSUPD: Clearing all session 242 info
router#
- Labels:
-
Other Routing
