LetsEncrypt DDNS - Question

[Skeptical.me]

I'm using freedns.afraid.org for my DDNS and LetsEncrypt and I keep seeing the following in the logs (I'm just wondering what it means):

Oct 16 06:40:00 rc_service: service 22429:notify_rc restart_letsencrypt

 

[RMerlin]

It means that the lets encrypt service has been restarted. You will have to look at the rest of your log to determine the reason why.

 

[Skeptical.me]

It means that the lets encrypt service has been restarted. You will have to look at the rest of your log to determine the reason why.

Thanks for the reply,

Firstly I was using the wrong Host Name, I was still using the ASUS one, not one generated from FreeDNS.

So, I created a Host Name lets call it "XXXXXX.mooo.com"

Then I regenerated a LetsEncrypt Certificate.

As far as I'm aware, I've taken all of the correct steps. But I'm still learning so maybe I've overlooked something.

Here is the redacted log

Oct 16 15:42:28 RT-AC86U: start https:8443
Oct 16 15:42:28 RT-AC86U: start httpd:80
Oct 16 15:42:28 httpd: Generating SSL certificate...
Oct 16 15:42:28 WEBDAV_Server: daemon is stopped
Oct 16 15:42:29 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Oct 16 15:42:29 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Oct 16 15:42:29 start_ddns: update FREEDNS.AFRAID.ORG default@freedns.afraid.org, wan_unit 0
Oct 16 15:42:29 inadyn[14262]: In-a-dyn version 2.5 -- Dynamic DNS update client.
Oct 16 15:42:29 inadyn[14262]: Update forced for alias XXXXXX.mooo.com, new IP# 1XX.1XX.1XX.1XX
Oct 16 15:42:29 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/RT-AC68U/skynet )
Oct 16 15:42:31 inadyn[14262]: Updating cache for XXXXXX.mooo.com
Oct 16 15:42:50 Skynet: [#] 147419 IPs (+0) -- 1717 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]
Oct 16 15:44:20 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=42467 DPT=9200 SEQ=1545473197 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 16 15:45:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=4620 PROTO=TCP SPT=59236 DPT=22 SEQ=420444333 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 16 15:46:01 rc_service: httpds 14194:notify_rc restart_ddns_le
Oct 16 15:46:01 start_ddns: update FREEDNS.AFRAID.ORG default@freedns.afraid.org, wan_unit 0
Oct 16 15:46:01 inadyn[15315]: In-a-dyn version 2.5 -- Dynamic DNS update client.
Oct 16 15:46:01 inadyn[15315]: Update forced for alias XXXXXXX.mooo.com, new IP# MY IP ADDRESS
Oct 16 15:46:03 inadyn[15315]: Updating cache for XXXXXX.mooo.com
Oct 16 15:46:21 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217: bad response
Oct 16 15:46:21 kernel: acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://XXXXXXX.mooo.com/.well-known/acme-challenge/-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0: Timeout during connect (likely firewall problem)", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217", "token": "-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0", "v
Oct 16 15:46:30 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=51934 DPT=8545 SEQ=2774407542 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 16 15:46:30 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=51935 DPT=8545 SEQ=2774407542 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 16 15:46:32 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=29 TOS=0x00 PREC=0x00 TTL=53 ID=8184 DF PROTO=UDP SPT=58159 DPT=19 LEN=9 MARK=0x8000000
Oct 16 15:47:01 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=44 TOS=0x00 PREC=0x00 TTL=110 ID=53256 PROTO=TCP SPT=62790 DPT=5984 SEQ=1318605768 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Oct 16 15:47:35 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=18736 PROTO=TCP SPT=44858 DPT=32926 SEQ=2879955737 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 16 15:48:31 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=11012 PROTO=TCP SPT=12125 DPT=2323 SEQ=3408423607 ACK=0 WINDOW=41390 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 16 15:48:41 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=MAC ADDRESS SRC=IP ADDRESS DST=MY IP ADDRESS LEN=56 TOS=0x00 PREC=0x00 TTL=50 ID=14696 DF PROTO=UDP SPT=60510 DPT=53 LEN=36 MARK=0x8000000

Edit: I just checked the DDNS UI again I see there is an issue with the certificate:

Issued to :    192.168.1.1
SAN :    192.168.1.1 router.asus.com RT-AC86U-1960
Issued by :    192.168.1.1

That certainly doesn't look right.

 

[RMerlin]

Thanks for the reply,

Firstly I was using the wrong Host Name, I was still using the ASUS one, not one generated from FreeDNS.

So, I created a Host Name lets call it "XXXXXX.mooo.com"

Then I regenerated a LetsEncrypt Certificate.

As far as I'm aware, I've taken all of the correct steps. But I'm still learning so maybe I've overlooked something.

The acme client was unable to connect with Let's Encrypt to validate your identity:

Oct 16 15:46:21 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217: bad response
Oct 16 15:46:21 kernel: acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://XXXXXXX.mooo.com/.well-known/acme-challenge/-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0: Timeout during connect (likely firewall problem)", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217", "token": "-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0", "v

Edit: I just checked the DDNS UI again I see there is an issue with the certificate:

Issued to :    192.168.1.1
SAN :    192.168.1.1 router.asus.com RT-AC86U-1960
Issued by :    192.168.1.1

That certainly doesn't look right.

This is just a generic self-signed certificate created by the router, nothing abnormal there.[/QUOTE][/QUOTE]

 

[Skeptical.me]

The acme client was unable to connect with Let's Encrypt to validate your identity:

Oct 16 15:46:21 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217: bad response
Oct 16 15:46:21 kernel: acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://XXXXXXX.mooo.com/.well-known/acme-challenge/-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0: Timeout during connect (likely firewall problem)", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217", "token": "-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0", "v

This is just a generic self-signed certificate created by the router, nothing abnormal there

Thank you, once again, for answering my questions.

Just one last thing, I don't want to absorb your time.

How could I resolve the acme issue. I see in the log it indicates its possibly a firewall issue (I have Skynet installed)?


Edit: (This is why I thought the generic self signed cert was unusual ... because I was trying to generate a LetsEncrypt Cert.)

Edit 2: In the logs it indicates I have reached a rate limit for letsencrypt https://letsencrypt.org/docs/rate-limits

 

[RMerlin]

Rate limits will indeed occur after too many attempts (either from you or someone else with the same domain name - one reason why Let's Encrypt with a DDNS domain name is never a good idea if you want something stable and reliable).

You could try to disable Skynet to see if it helps. Beyond that I can't really tell, most of Asus's Let's Encrypt is closed source, so I never spent any time looking at it.

 

[Skeptical.me]

Rate limits will indeed occur after too many attempts (either from you or someone else with the same domain name - one reason why Let's Encrypt with a DDNS domain name is never a good idea if you want something stable and reliable).

You could try to disable Skynet to see if it helps. Beyond that I can't really tell, most of Asus's Let's Encrypt is closed source, so I never spent any time looking at it.

Thanks for the reply,

What I've done is Whitelisted the acme domain in SkyNet. And after the rate limit ban/suspension (whatever its called) is up I'll try again. However, I may just go back to using ASUS's DDNS service because the LetsEncrypt certificate was working perfectly ok. I only swapped to FreeDNS just to try it out.

Thanks again.

 

[RMerlin]

Thanks for the reply,

What I've done is Whitelisted the acme domain in SkyNet. And after the rate limit ban/suspension (whatever its called) is up I'll try again. However, I may just go back to using ASUS's DDNS service because the LetsEncrypt certificate was working perfectly ok. I only swapped to FreeDNS just to try it out.

Thanks again.

Any particular reason why you need a Let's Encrypt certificate on your router webui?

 

[Skeptical.me]

Any particular reason why you need a Let's Encrypt certificate on your router webui?

No, maybe I misunderstand its purpose. Did I read correctly that the DDNS is encrypted now? I vaguely remember reading that, and I've assumed the Cert. had something to do with that. Maybe I've totally misunderstood.

 

[RMerlin]

No, maybe I misunderstand its purpose. Did I read correctly that the DDNS is encrypted now? I vaguely remember reading that, and I've assumed the Cert. had something to do with that. Maybe I've totally misunderstood.

DDNS and Let's Encrypt are two totally separate features. DDNS gives you a static hostname associated to your dynamic IP so you can remotely reach your router while outside of home. Let's Encrypt lets you obtain a certificate recognized by all web browsers, to use on your router's web interface when you access it through the DDNS hostname without getting any browser security warnings.

Let's Encrypt needs a hostname from a valid public domain to issue a certificate, which is why it's tied to your DDNS configuration.

 

[grtessman]

Did anyone ever find out what's happening here? I am having the same problem using Google DDNS.

I find it unusual that the acme-client is trying to send a request to http://XXXXXXX.moo.com/.well-known... instead of https with port 8443. Why would it expect a response on port 80 (especially with AI Cloud enabled) and when Asus's own directions say to use port 8443 with https. Neither of which is used by the acme-client.

The acme client was unable to connect with Let's Encrypt to validate your identity:

Oct 16 15:46:21 kernel: acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217: bad response
Oct 16 15:46:21 kernel: acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://XXXXXXX.mooo.com/.well-known/acme-challenge/-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0: Timeout during connect (likely firewall problem)", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6alh1BFMmgSATnXGfuhydqRtX9FRq7rl3aj0Ihqs5EQ/8333894217", "token": "-nHIKc89_XTCUWSzDKxcb1sAInALPhDGo-DhpYK03g0", "v

This is just a generic self-signed certificate created by the router, nothing abnormal there.

[/QUOTE][/QUOTE]

 

[RMerlin]

I find it unusual that the acme-client is trying to send a request to http://XXXXXXX.moo.com/.well-known... instead of https with port 8443.

That does make sense to me. If you are trying to install your first SSL certificate, then your web server probably isn't https-enabled yet, therefore the check must be done over http. This is pretty much the same as when I setup LE using acme.sh on a customer's server where there is no SSL yet. I only enable SSL in Apache after I have obtained a certificate.

 

[unameit]

I have a similar problem, where the Asus router exhausted my letsencrypt certificate renewal for the week (which is set to 5 renewals per week hard limit by letsencrypt). I found out that the router obtains a new letsencrypt certificate each time it reboots. I also noticed that it stores the current cert and private key in /jffs/.le/<DDNS_NAME>/.

I'm wondering why it renews its letsencrypt cert on reboot, when it's still valid and the DDNS name hasn't changed? This leads to exhausting letsencrypt cert renewals unnecessarily and might be something that could be fixed in one of the upcoming releases...

Here is an example from crt.sh on how many certs my router consumed in the last days just due to restarts:

Logged At ⇧ Not Before Not After Issuer Name
2019-03-17 2019-03-17 2019-06-15 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-03-16 2019-03-16 2019-06-14 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-03-16 2019-03-16 2019-06-14 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-03-15 2019-03-15 2019-06-13 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-03-14 2019-03-14 2019-06-12 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-03-14 2019-03-14 2019-06-12 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-03-09 2019-03-09 2019-06-07 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3