ASUS DDNS certificate verification error

[Richard Appleton]

Can anyone help please? I’m using a (new to me) ASUS RT-AC87U router with latest Merlin firmware and ASUS DDNS enabled. It’s been fine for around 3 weeks but now I am getting the following intermittent log message and cannot connect to my OpenVPN server from internet.



Oct 18 12:00:02 inadyn[552]: Update forced for alias myname.asuscomm.com, new IP# nn.nnn.nn.nnn (NB changed my name/ip details for security purposes).

Oct 18 12:00:04 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready

Oct 18 12:00:04 kernel: device tun21 entered promiscuous mode

Oct 18 12:00:04 inadyn[552]: Certificate verification error:num=10:certificate has expired:depth=0:/CN=ns1.asuscomm.com

Oct 18 12:00:04 inadyn[552]: OpenSSL error: 1024:error:1416F086:lib(20):func(367):reason(134):NA:0:

I rebooted the router but the problem persisted so out of desperation I factory reset and reloaded config file. This appears to have corrected it but I’m wondering if anyone knows what causes this problem?



Thanks

 

[RMerlin]

Expired certificate problem would have been on Asus's own servers, since your clock seems to be correct.

 

[Richard Appleton]

Ah OK thanks, so nothing for me to change!

 

[Richard Appleton]

Expired certificate problem would have been on Asus's own servers, since your clock seems to be correct.

Just one more question if you don't mind: In Advanced Settings/ WAN / Webui SSL Certificate / Free certificate from Let's Encrypt the status is constantly showing "Updating..." - is this normal? (certificate expiry date shown as 2028/5/5)

 

[thaMini]

I think this is the same problem as: https://www.snbforums.com/threads/lets-encrypt-not-updating-or.59524/

 

[TheKolaNN]

I noticed turning off Let's Encrypt works as a workaround for this issue.

 

[dave14305]

Expired certificate problem would have been on Asus's own servers, since your clock seems to be correct.

Looks like they are returning a certificate for ns1.asuscomm.com but inadyn is configured for nwsrv-ns1.asus.com.

 

[RMerlin]

Looks like they are returning a certificate for ns1.asuscomm.com but inadyn is configured for nwsrv-ns1.asus.com.

Which is correct. The update server does not necessarily have to match the authoritative nameserver. That nwsrv-ns1 server is the correct one for updates.

EDIT: which means Asus has an incorrect certificate deployed. They will have to either reissue the certificate with the correct CN, or change the DDNS client code to switch to ns1.asuscomm.com (right now their latest DDNS code still uses nwsrv-ns1.asus.com).

 

[RMerlin]

I just tested it here, and despite having an invalid certificate, my Asus DDNS still updated just fine on my test router. I suspect that inadyn does not validate the CN, it only validate the expiration date (which was expired in the OP's case).

Since Asus uses Let's Encrypt on their own server, maybe it was expired at a certain time, and has now been renewed properly. Or they have a cluster, and some of the servers in their cluster weren't up-to-date.

In any case, I still recommend people to use a third party service like Afraid rather than Asus's. Asus's DDNS has had extensive outages in the past, plus it will tie your hostname to your current router. If that router dies, or you forget to unregister a hostname before changing router, you will be force to change to a new hostname.

 

[martinr]

I noticed turning off Let's Encrypt works as a workaround for this issue.

I’m trying to work out the security implications if doing this - I’m looking for a safe temporary fix. Would turning off Let’s Encrypt, as a temporary workaround, mean that the OpenVPN symmetric key exchange could be intercepted by a nan in the middle?

 

[RMerlin]

Let's Encrypt has nothing to do with VPN, it's only for the webui.

 

[TheKolaNN]

Let's Encrypt has nothing to do with VPN, it's only for the webui.

That's true. But it was no workaround really. I misinterpreted the results. Asus DDNS still worked as a lottery. I switched to no-ip.

 

[martinr]

That's true. But it was no workaround really. I misinterpreted the results. Asus DDNS still worked as a lottery. I switched to no-ip.

and in comparison to setting up Asus DDNS, scoring 10/10 for ease and simplicity, where would yo put No-ip?

 

[RMerlin]

and in comparison to setting up Asus DDNS, scoring 10/10 for ease and simplicity, where would yo put No-ip?

Configure it once, then never think about it again for many years. I'd put that above Asus DDNS, which a) had a few multi-days outages over the past few years, b) will be difficult to deal with the day you change your router.

 

[OBENZ]

and in comparison to setting up Asus DDNS, scoring 10/10 for ease and simplicity, where would yo put No-ip?

Used noip before ddns was very simple and no downtime vs asus having few outages over the years so it's more reliable and as easy. Went back to it last week since asus ddns started acting up

Sent from my SM-G965F using Tapatalk

 

[TheKolaNN]

and in comparison to setting up Asus DDNS, scoring 10/10 for ease and simplicity, where would yo put No-ip?

9.5/10, simple enough, no problems when changing router.

 

[saccleo]

I met this problem again today.
There is a temporary method to solve this problem. Just put this “ssl = false” after checkip-command = “/usr/sbin/nvram get wan0_ipaddr” in the /etc/inadyn.conf.
This will disable ssl connection, and it is unsafe.

 

[rromeroa]

I met this problem again today.
There is a temporary method to solve this problem. Just put this “ssl = false” after checkip-command = “/usr/sbin/nvram get wan0_ipaddr” in the /etc/inadyn.conf.
This will disable ssl connection, and it is unsafe.

great and simple solution to solve it.
thanks