How do I verify DDCLIENT is using SSL and if it's not, how do I force it?

dns openvpn ssl dyndns ddclient

6,899

Solution 1

I have found the answer and I feel very silly not figuring it out earlier.

daemon=60                               # check every 60 seconds
syslog=yes                              # log update msgs to syslog
mail=root                               # mail all msgs to root
mail-failure=root                       # mail failed update msgs to root
pid=/var/run/ddclient.pid               # record PID in file.
ssl=yes                                 # use ssl-support.  Works with
                                        # ssl-library
use=web, web=https://myip.dnsdynamic.org        # get ip from server.
server=www.dnsdynamic.org               # default server
login=USERNAME                          # default login
password=PASSWORD                       # default password
server=www.dnsdynamic.org,              \
protocol=dyndns2                        \
YOUR DOMAIN GOES HERE

The above will force SSL and will connect over SSL. There are two changes I have made.

The line use=web, web=myip.dnsdynamic.com should be use=web, web=https://myip.dnsdynamic.org. Changing from .com to .org stops connection failures. Adding https:// prior to the connection string allows it to connect over SSL.

Output from use=web, web=myip.dnsdynamic.org shows:

use=web, web=loopia address is IPADDRESSISHERE
CONNECT:  myip.dnsdynamic.org
CONNECTED:  using HTTP
SENDING:  GET / HTTP/1.0
SENDING:   Host: myip.dnsdynamic.org
SENDING:   User-Agent: ddclient/3.8.2
SENDING:   Connection: close

Output from use=web, web=https://myip.dnsdynamic.org shows:

use=web, web=loopia address is IPADDRESSISHERE
CONNECT:  myip.dnsdynamic.org

The verification of cert '/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA/CN=www.dnsdynamic.org'
failed against the host 'myip.dnsdynamic.org' with the default verification scheme.

   THIS MIGHT BE A MAN-IN-THE-MIDDLE ATTACK !!!!

To stop this warning you might need to set SSL_verifycn_name to
the name of the host you expect in the certificate.

CONNECTED:  using SSL
SENDING:  GET / HTTP/1.0
SENDING:   Host: myip.dnsdynamic.org
SENDING:   User-Agent: ddclient/3.8.2
SENDING:   Connection: close

I am still unsure why forcing ssl=yes does not cause it to use HTTPS automatically but it is connecting over SSL now and the command as seen by @George helps me verify it is: sudo ddclient -verbose -debug -noquiet -query

Solution 2

This is only the "get IP" part. The actual update to the dynamic DNS server is not shown in your output. It may still be done over HTTP.

root@ad26e03e9704:/bin# ddclient -daemon=0 -noquiet -debug -file /config/ddclient.conf
DEBUG:    get_ip: using cmd, /config/get_ip.sh reports 10.0.0.1
DEBUG:
DEBUG:     nic_dyndns2_update -------------------
DEBUG:    proxy  =
DEBUG:    url    = http://dyndns.strato.com/nic/update?system=dyndns&hostname=bla.mydomain.com&myip=10.0.0.1
DEBUG:    server = dyndns.strato.com
SUCCESS:  updating bla.mydomain.com: good: IP address set to 10.0.0.1

If I put https in front of the server, I get:

DEBUG:    url    = http://https://dyndns.strato.com/nic/update?system=dyndns&hostname=bla.mydomain.com&myip=10.0.0.1

6,899

Shaulinator

I'm a database administrator with additional experience in windows/linux administration. I'm working towards my MS Certifications in SQL Server and developing python programs.

Updated on September 18, 2022

Comments

Shaulinator almost 2 years
I have been following this guide on setting up VPN on my pi. Part of the steps are to set up and configure a dynamic dns service. I have created several accounts across multiple platforms. No Ip and dynamicdns are two to name. Below is an output of my ddclient.conf file, it connects fine on both dynamic dns sites.
```
daemon=60                               # check every 60 seconds
syslog=yes                              # log update msgs to syslog
mail=root                               # mail all msgs to root
mail-failure=root                       # mail failed update msgs to root
pid=/var/run/ddclient.pid               # record PID in file.
ssl=yes                                 # use ssl-support.  Works with
                                        # ssl-library
use=web, web=myip.dnsdynamic.com        # get ip from server.
server=www.dnsdynamic.org               # default server
login=YOURUSERNAME                      # default login
password=YOURPASSWORD                       # default password
server=www.dnsdynamic.org,              \
protocol=dyndns2                        \
MYDOMAIN.dnsdynamic.COM
```
My issue is that in this article, they illustrate how to verify if your pi is connecting over SSL. When I run
```
sudo ddclient -verbose -debug -noquiet -query 
```
it shows connecting over HTTP vs HTTPS or SSL for each site. I verified that ssl was installed by running
```
sudo apt-get install ssh libio-socket-ssl-perl
```
Any ideas on if it's connecting via ssl or how I can force it to? I have ran through this article too. I did see that ddclient stated that it would use SSL if available, I'm wondering if this is a limitation to using a free dynamicdns site or if I'm overlooking something. The articles made it appear as though the sites I'm using like no ip and dnsdynamic support SSL.
- Admin about 7 years
  
  I see sudo ddclient -debug -verbose -noquiet not sudo ddclient -verbose -debug -noquiet -query as you have...as in the second link
- Admin about 7 years
  
  @George that's my mistake, I missed adding -query. However, looking at the problem again with a fresh state of mind and you prompting me to look over the problem again did actually help me solve it! Adding the answer and will edit the question.
Shaulinator over 4 years

Since posting, I have turned off my Pi that runs my DDClient. I'll have to spin up an instance and give this another test to see what the debug shows. Thank you!