I have a Juniper SSG5 firewall, Version: 6.3.0r19.0, that is on a dynamic IP. We are using DDNS service from dyndns. The service is supported by the SSG device.
There has been no problems getting it to work using http only.
My problem arises when changing to https.
When using http i get "good" and "nochg" replies from dyndns.
It only replies "no-init" when using https.
More details is found below, I am fresh out if ideas as to get this to work. My knowledge on certs and CA's is not extensive.
I am wondering if it is me handling the install of the certs wrong or if there is something else in the settings that i need to do in order for the ssg evice to be able to connect via https.
I have been using this KB article as a basis for the config:
Juniper KB, configre DDNS on screenOS device,
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4582
NOTE:
The inhere mentioned cert, Geotrust certificate, as of is no longer valid.
As mentioned here,
http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/DynDNS-Certificate-Provider-Changed-ScreenOS-DDNS-Client-Broken/td-p/143914
That cert was changed for a DigiCert cert as of May 22, 2012.
I have used FF to find and export the certs before importing them to the SSG device. The digicerts used on https://members.dyndns.org/ is as far as i can understand, please correct me if i am wrong,
DigiCert Global Root CA, with serial number:[08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A]
and
DigiCert SHA2 Secure Server CA with serial number: [01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91]
I have even tried to download them from the digicert home webpage and installing the certs i download there and afterwards used the serial numbers to see if the certs are identical.
Perhaps worth noting is that, when installed, both ca-certs is named "DigiCert Global Root CA", but serial numbers and expire dates are matching the information in get from the page by clicking the url padlock in FF. When using
`openssl x509 -in DigiCertGlobalRootCA -text -noout`
It seems that both certs has CN="DigiCert Global Root CA".
I have tried installing them the root CA first and then the intermediate, in reverse order, only Root, only intermediate. The downloaded from DigiCert and the FF certs. In FF i have tried with and without chain. I have even tried adding all the DigiCerts I found in FF.
Regardless of the above efforts i still get:
DDNS: Triggering update for 1
ddns: server members.dyndns.org resolved to 204.13.248.111
DDNS: connect error
socket creation failed
ddns: update failed, fail cnt 4, retry after 60 min
Using this example from Dyndns,
From here:
http://help.dyn.com/remote-access-api/perform-update/
Using this i can update the ip using https with FF.
password@members.dyndns.org/nic/update?hostname=yourhostname&myip=ipaddress&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG" target="_self" rel="nofollow noopener noreferrer">https://username:password@members.dyndns.org/nic/update?hostname=yourhostname&myip=ipaddress&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG
I also found this Juniper KB article and tested the command there,
To load Intermediate CA Certificate into Netscreen Firewall
http://kb.juniper.net/InfoCenter/index?page=content&id=KB6779&actp=search&viewlocale=en_US&searchid=1237138980966
set pki x509 def cert-path full [Enter]
save [Enter]
But the only change I can see is that if I install a intermediate cert both the intermediate and the root is installed at the same time when installing the intermediate cert, but does not help me with my problem.
Somewhere I found that maybe disabling alg on dns might help.
I have tried that, but I cannot see that it makes any difference.
NOTE, ntp and dns is enabled and working. A reset has been done after the presumed correct certs has been loaded.