05-23-2012 07:00 AM
It would appear that as of May 22, 2012 DynDNS has update the certficiate on the members.dyndns.org server (which is used by the ScreenOS DDNS client for DynsDNS) from a certificate signed by Equifax/Geotrust to a certificate signed by DigiCert.
We noticed this when a customer's ScreenOS device was no longer updating its DynDNS name with its current IP.
Event Log entry was:
PKI: Cannot build certificate chain for cert with subject name CN=*.dyndns.org,O=Dynamic Network Services, Inc.,L=Manchester,ST=New Hampshire,C=US,.
You’ll know it’s broken if the DDNS client menu shows a Last-response of “no init” instead of the usual “good”
If you have any Juniper ScreenOS devices utilizing the DynDNS DDNS client, you’ll need to load the attached CA certs into the device for it to trust the new cert and be able to update DynDNS with its current IP. (Also available at https://www.digicert.com/digicert-root-certificate
In ScreenOS v6.3 this is in the Objects -> Certificates menu. Change the “Show” pulldown from Local to CA to see what root certs the device has loaded
Depending on how frequently a device's public IP changes, this issue may create a problem immediately (as it did for our customer) or could take weeks or months to show up.
I do believe Juniper KB acticle KB7380 is now invalid and will need to be updated to reflect the new CA's.
05-23-2012 07:59 AM
Thanks for updating this info.
I will verify this in our lab and make some arrangements to update the KB Article. I will keep you posted here.