1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

LetsEncrypt DDNS - Question

Discussion in 'Asuswrt-Merlin' started by Skeptical.me, Oct 15, 2018.

  1. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    241
    Location:
    Australia
    I'm using freedns.afraid.org for my DDNS and LetsEncrypt and I keep seeing the following in the logs (I'm just wondering what it means):

    Code:
    Oct 16 06:40:00 rc_service: service 22429:notify_rc restart_letsencrypt
     
    bitmonster likes this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    It means that the lets encrypt service has been restarted. You will have to look at the rest of your log to determine the reason why.
     
  4. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    241
    Location:
    Australia
    Thanks for the reply,

    Firstly I was using the wrong Host Name, I was still using the ASUS one, not one generated from FreeDNS.

    So, I created a Host Name lets call it "XXXXXX.mooo.com"

    Then I regenerated a LetsEncrypt Certificate.

    As far as I'm aware, I've taken all of the correct steps. But I'm still learning so maybe I've overlooked something.

    Here is the redacted log

    Code:
    Oct 16 15:42:28 RT-AC86U: start https:8443
    Oct 16 15:42:28 RT-AC86U: start httpd:80
    Oct 16 15:42:28 httpd: Generating SSL certificate...
    Oct 16 15:42:28 WEBDAV_Server: daemon is stopped
    Oct 16 15:42:29 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
    Oct 16 15:42:29 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
    Oct 16 15:42:29 start_ddns: update FREEDNS.AFRAID.ORG [email protected], wan_unit 0
    Oct 16 15:42:29 inadyn[14262]: In-a-dyn version 2.5 -- Dynamic DNS update client.
    Oct 16 15:42:29 inadyn[14262]: Update forced for alias XXXXXX.mooo.com, new IP# 1XX.1XX.1XX.1XX
    Oct 16 15:42:29 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/RT-AC68U/skynet )
    Oct 16 15:42:31 inadyn[14262]: Updating cache for XXXXXX.mooo.com
    Oct 16 15:42:50 Skynet: [#] 147419 IPs (+0) -- 1717 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]
    Oct 16 15:44:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=42467 DPT=9200 SEQ=1545473197 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
    Oct 16 15:45:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4620 PROTO=TCP SPT=59236 DPT=22 SEQ=420444333 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
    Oct 16 15:46:01 rc_service: httpds 14194:notify_rc restart_ddns_le
    Oct 16 15:46:01 start_ddns: update FREEDNS.AFRAID.ORG [email protected], wan_unit 0
    Oct 16 15:46:01 inadyn[15315]: In-a-dyn version 2.5 -- Dynamic DNS update client.
    Oct 16 15:46:01 inadyn[15315]: Update forced for alias XXXXXXX.mooo.com, new IP# MY IP ADDRESS
    Oct 16 15:46:03 inadyn[15315]: Updating cache for XXXXXX.mooo.com
    Oct 16 15:46:21 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217: bad response
    Oct 16 15:46:21 kernel: acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://XXXXXXX.mooo.com/.well-known/acme-challenge/-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0: Timeout during connect (likely firewall problem)", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217", "token": "-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0", "v
    Oct 16 15:46:30 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=51934 DPT=8545 SEQ=2774407542 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
    Oct 16 15:46:30 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=51935 DPT=8545 SEQ=2774407542 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
    Oct 16 15:46:32 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=29 TOS=0x00 PREC=0x00 TTL=53 ID=8184 DF PROTO=UDP SPT=58159 DPT=19 LEN=9 MARK=0x8000000
    Oct 16 15:47:01 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=44 TOS=0x00 PREC=0x00 TTL=110 ID=53256 PROTO=TCP SPT=62790 DPT=5984 SEQ=1318605768 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
    Oct 16 15:47:35 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=18736 PROTO=TCP SPT=44858 DPT=32926 SEQ=2879955737 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
    Oct 16 15:48:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=11012 PROTO=TCP SPT=12125 DPT=2323 SEQ=3408423607 ACK=0 WINDOW=41390 RES=0x00 SYN URGP=0 MARK=0x8000000
    Oct 16 15:48:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=56 TOS=0x00 PREC=0x00 TTL=50 ID=14696 DF PROTO=UDP SPT=60510 DPT=53 LEN=36 MARK=0x8000000
    
    
    Edit: I just checked the DDNS UI again I see there is an issue with the certificate:

    Code:
    Issued to :    192.168.1.1
    SAN :    192.168.1.1 router.asus.com RT-AC86U-1960
    Issued by :    192.168.1.1
    That certainly doesn't look right.
     
    Last edited: Oct 16, 2018
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    The acme client was unable to connect with Let's Encrypt to validate your identity:

    Code:
    Oct 16 15:46:21 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217: bad response
    Oct 16 15:46:21 kernel: acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://XXXXXXX.mooo.com/.well-known/acme-challenge/-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0: Timeout during connect (likely firewall problem)", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217", "token": "-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0", "v
    
    This is just a generic self-signed certificate created by the router, nothing abnormal there.[/QUOTE][/QUOTE]
     
    Skeptical.me likes this.
  6. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    241
    Location:
    Australia

    Thank you, once again, for answering my questions.

    Just one last thing, I don't want to absorb your time.

    How could I resolve the acme issue. I see in the log it indicates its possibly a firewall issue (I have Skynet installed)?


    Edit: (This is why I thought the generic self signed cert was unusual ... because I was trying to generate a LetsEncrypt Cert.)


    [​IMG]



    Edit 2: In the logs it indicates I have reached a rate limit for letsencrypt https://letsencrypt.org/docs/rate-limits
     
    Last edited: Oct 16, 2018
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    Rate limits will indeed occur after too many attempts (either from you or someone else with the same domain name - one reason why Let's Encrypt with a DDNS domain name is never a good idea if you want something stable and reliable).

    You could try to disable Skynet to see if it helps. Beyond that I can't really tell, most of Asus's Let's Encrypt is closed source, so I never spent any time looking at it.
     
    Skeptical.me likes this.
  8. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    241
    Location:
    Australia
    Thanks for the reply,

    What I've done is Whitelisted the acme domain in SkyNet. And after the rate limit ban/suspension (whatever its called) is up I'll try again. However, I may just go back to using ASUS's DDNS service because the LetsEncrypt certificate was working perfectly ok. I only swapped to FreeDNS just to try it out.

    Thanks again.
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    Any particular reason why you need a Let's Encrypt certificate on your router webui?
     
    Skeptical.me likes this.
  10. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    241
    Location:
    Australia
    No, maybe I misunderstand its purpose. Did I read correctly that the DDNS is encrypted now? I vaguely remember reading that, and I've assumed the Cert. had something to do with that. Maybe I've totally misunderstood.
     
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    DDNS and Let's Encrypt are two totally separate features. DDNS gives you a static hostname associated to your dynamic IP so you can remotely reach your router while outside of home. Let's Encrypt lets you obtain a certificate recognized by all web browsers, to use on your router's web interface when you access it through the DDNS hostname without getting any browser security warnings.

    Let's Encrypt needs a hostname from a valid public domain to issue a certificate, which is why it's tied to your DDNS configuration.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!