ScreenOS Firewalls (NOT SRX)
Reply
Visitor
colingmcguire
Posts: 1
Registered: ‎05-30-2008

DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

It would appear that as of May 22, 2012 DynDNS has update the certficiate on the members.dyndns.org server (which is used by the ScreenOS DDNS client for DynsDNS) from a certificate signed by Equifax/Geotrust to a certificate signed by DigiCert.

 

We noticed this when a customer's ScreenOS device was no longer updating its DynDNS name with its current IP.

 

Event Log entry was:

 

PKI: Cannot build certificate chain for cert with subject name CN=*.dyndns.org,O=Dynamic Network Services, Inc.,L=Manchester,ST=New Hampshire,C=US,.

 

You’ll know it’s broken if the DDNS client menu shows a Last-response of “no init” instead of the usual “good”

 

If you have any Juniper ScreenOS devices utilizing the DynDNS DDNS client, you’ll need to load the attached CA certs into the device for it to trust the new cert and be able to update DynDNS with its current IP. (Also available at https://www.digicert.com/digicert-root-certificates.htm - you need the "High Assurance EV Root CA" and the "High Assurance CA-3" )

 

In ScreenOS v6.3 this is in the Objects -> Certificates menu. Change the “Show” pulldown from Local to CA to see what root certs the device has loaded

 

Depending on how frequently a device's public IP changes, this issue may create a problem immediately (as it did for our customer) or could take weeks or months to show up.

 

I do believe Juniper KB acticle KB7380 is now invalid and will need to be updated to reflect the new CA's.

 

Happy updating!

 

Colin

 

 

Trusted Expert
sarab
Posts: 373
Registered: ‎05-12-2012
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

Thanks for updating this info.

 

I will verify this in our lab and make some arrangements to update the KB Article. I will keep you posted here.

yjw
New User
yjw
Posts: 3
Registered: ‎10-19-2010
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

it works ,thank you

New User
khaxan
Posts: 1
Registered: ‎12-01-2009
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

This suddenly started happenning a few days ago (the digicerts certificates were already there). The error message is the same. I deleted the certificates and donwload them again but without luck. 

Any ideas why is this happenning?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.