Solved Inadyn Fails to verify server certs after update to 388.6

[astephon88]

I am currently using custom DDNS to update cloudflare DNS with the following ddns-start script:

#!/bin/sh                                                                                                                                 
inadyn --once -f "/jffs/inadyn.conf" -e "/sbin/ddns_custom_updated 1" --continue-on-error "/sbin/ddns_custom_updated 0"

and inadyn.conf:

provider cloudflare.com {
    username = <redacted>
    password = <redacted>
    hostname = <redacted>
    ttl = 60
    proxied = false
}

After updating to 388.6, inadyn is failing to verify the server certs for cloudflare and the services it uses for checkip. I'm seeing the following errors in the system logs:

Feb 23 20:40:23 watchdog: start ddns.
Feb 23 20:40:23 ddns: update CUSTOM , wan_unit 0
Feb 23 20:40:23 ddns: Clear ddns cache.
Feb 23 20:40:23 custom_script: Running /jffs/scripts/ddns-start (args: x.x.x.x)
Feb 23 20:40:23 inadyn[3976]: In-a-dyn version 2.10.0 -- Dynamic DNS update client.
Feb 23 20:40:23 inadyn[3976]: Guessing DDNS plugin 'default@cloudflare.com' from 'cloudflare.com'
Feb 23 20:40:23 inadyn[3976]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
Feb 23 20:40:23 inadyn[3976]: OpenSSL error: 4144561792:error:1416F086:lib(20):func(367):reason(134):NA:0:
Feb 23 20:40:23 inadyn[3976]: Communication with checkip server 1.1.1.1 failed, run again with 'inadyn -l debug' if problem persists
Feb 23 20:40:23 inadyn[3976]: Retrying with built-in 'default', api.ipify.org ...
Feb 23 20:40:23 inadyn[3976]: Certificate verification error:num=20:unable to get local issuer certificate:depth=2:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
Feb 23 20:40:23 inadyn[3976]: OpenSSL error: 4144561792:error:1416F086:lib(20):func(367):reason(134):NA:0:
Feb 23 20:40:23 inadyn[3976]: Failed to get IP address for default@cloudflare.com, giving up!
Feb 23 20:40:23 inadyn[3976]: Update forced for alias home.stephon.dev, new IP# 71.166.45.148
Feb 23 20:40:23 inadyn[3976]: Certificate verification error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3
Feb 23 20:40:23 inadyn[3976]: OpenSSL error: 4144561792:error:1416F086:lib(20):func(367):reason(134):NA:0:

If I revert back to 388.5, everything works as expected again. Any ideas on how to get this fixed?

 

[RMerlin]

Release - Asuswrt-Merlin 3004.388.6 is now available

wow good wifi app that wifimann

www.snbforums.com

 

[astephon88]

Ugh, I'm sorry @RMerlin. Spent about a half hour trying to search for similar reports, but I was looking for dedicated threads. Never thought to look through the release thread.

 

[RMerlin]

Asus' usage of a non-standard location for the CA bundle is problematic. I reverted from my standardized location in 388.6 to avoid potential issues with their revised SSL certificate handling, but this leads to other issues (such as the current one). Unfortunately it's not really possible for me to reconciliate both methods because they use a filename that's used by default by OpenSSL for their httpd certificate (which means OpenSSL can potentially think that this server certificate also serves as the CA bundle).

Inadyn is the most commonly affected component with the current behaviour, unfortunately inadyn does not let define a custom bundle location at build time, only at run time.

I spent a few hours testing various ways to work around the current issues a couple of weeks ago, but couldn't find any acceptable compromise for now.