ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Posts: 1
Registered: ‎05-30-2008

DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

It would appear that as of May 22, 2012 DynDNS has update the certficiate on the members.dyndns.org server (which is used by the ScreenOS DDNS client for DynsDNS) from a certificate signed by Equifax/Geotrust to a certificate signed by DigiCert.

 

We noticed this when a customer's ScreenOS device was no longer updating its DynDNS name with its current IP.

 

Event Log entry was:

 

PKI: Cannot build certificate chain for cert with subject name CN=*.dyndns.org,O=Dynamic Network Services, Inc.,L=Manchester,ST=New Hampshire,C=US,.

 

You’ll know it’s broken if the DDNS client menu shows a Last-response of “no init” instead of the usual “good”

 

If you have any Juniper ScreenOS devices utilizing the DynDNS DDNS client, you’ll need to load the attached CA certs into the device for it to trust the new cert and be able to update DynDNS with its current IP. (Also available at https://www.digicert.com/digicert-root-certificates.htm - you need the "High Assurance EV Root CA" and the "High Assurance CA-3" )

 

In ScreenOS v6.3 this is in the Objects -> Certificates menu. Change the “Show” pulldown from Local to CA to see what root certs the device has loaded

 

Depending on how frequently a device's public IP changes, this issue may create a problem immediately (as it did for our customer) or could take weeks or months to show up.

 

I do believe Juniper KB acticle KB7380 is now invalid and will need to be updated to reflect the new CA's.

 

Happy updating!

 

Colin

 

 

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

Thanks for updating this info.

 

I will verify this in our lab and make some arrangements to update the KB Article. I will keep you posted here.

Highlighted
yjw
New User
Posts: 3
Registered: ‎10-19-2010
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

it works ,thank you

New User
Posts: 1
Registered: ‎12-01-2009
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

This suddenly started happenning a few days ago (the digicerts certificates were already there). The error message is the same. I deleted the certificates and donwload them again but without luck. 

Any ideas why is this happenning?

Visitor
Posts: 2
Registered: ‎05-13-2015
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

Hi, we have the same issue today.

No SSG5 and SSG520 update the dyndns ip addresses.

 

PKI: Cannot build certificate chain for cert with subject name CN=*.dyndns.org,O=Dynamic Network Services, Inc.,L=Manchester,ST=New Hampshire,C=US,.

 

We have found no new certificate for dyndns.

Have you an idea ?

Visitor
Posts: 7
Registered: ‎04-26-2012
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

Hello, 

 

Same problem today.

Where download new certificate?

Nicit

Juniper Employee
Posts: 47
Registered: ‎11-15-2013
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

Hello,

 

Please do let us know if you were able to follow the KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB27464 and upload the new certificates from the site ?

 

Hope it helps.

 

Regards

Vatsa

Visitor
Posts: 2
Registered: ‎05-13-2015
0

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

Hi, the solution is not working.

New User
Posts: 1
Registered: ‎03-28-2015

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

After about a few hours of trying I have finally found the cert that is needed to allow the DDNS to work again.

 

DigiCertSHA2SecureServerCA.cer

 

Load this certs and it all works again.

Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.