ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

05.23.12   |  
‎05-23-2012 07:00 AM

It would appear that as of May 22, 2012 DynDNS has update the certficiate on the members.dyndns.org server (which is used by the ScreenOS DDNS client for DynsDNS) from a certificate signed by Equifax/Geotrust to a certificate signed by DigiCert.

 

We noticed this when a customer's ScreenOS device was no longer updating its DynDNS name with its current IP.

 

Event Log entry was:

 

PKI: Cannot build certificate chain for cert with subject name CN=*.dyndns.org,O=Dynamic Network Services, Inc.,L=Manchester,ST=New Hampshire,C=US,.

 

You’ll know it’s broken if the DDNS client menu shows a Last-response of “no init” instead of the usual “good”

 

If you have any Juniper ScreenOS devices utilizing the DynDNS DDNS client, you’ll need to load the attached CA certs into the device for it to trust the new cert and be able to update DynDNS with its current IP. (Also available at https://www.digicert.com/digicert-root-certificates.htm - you need the "High Assurance EV Root CA" and the "High Assurance CA-3" )

 

In ScreenOS v6.3 this is in the Objects -> Certificates menu. Change the “Show” pulldown from Local to CA to see what root certs the device has loaded

 

Depending on how frequently a device's public IP changes, this issue may create a problem immediately (as it did for our customer) or could take weeks or months to show up.

 

I do believe Juniper KB acticle KB7380 is now invalid and will need to be updated to reflect the new CA's.

 

Happy updating!

 

Colin

 

 

Attachments

8 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

05.23.12   |  
‎05-23-2012 07:59 AM

Thanks for updating this info.

 

I will verify this in our lab and make some arrangements to update the KB Article. I will keep you posted here.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

05.25.12   |  
‎05-25-2012 06:31 PM

it works ,thank you

ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

04.15.14   |  
‎04-15-2014 11:45 AM

This suddenly started happenning a few days ago (the digicerts certificates were already there). The error message is the same. I deleted the certificates and donwload them again but without luck. 

Any ideas why is this happenning?

ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

05.13.15   |  
‎05-13-2015 07:32 AM

Hi, we have the same issue today.

No SSG5 and SSG520 update the dyndns ip addresses.

 

PKI: Cannot build certificate chain for cert with subject name CN=*.dyndns.org,O=Dynamic Network Services, Inc.,L=Manchester,ST=New Hampshire,C=US,.

 

We have found no new certificate for dyndns.

Have you an idea ?

ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

05.19.15   |  
‎05-19-2015 02:36 AM

Hello, 

 

Same problem today.

Where download new certificate?

Nicit

ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

06.09.15   |  
‎06-09-2015 03:06 AM

Hello,

 

Please do let us know if you were able to follow the KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB27464 and upload the new certificates from the site ?

 

Hope it helps.

 

Regards

Vatsa

ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

06.17.15   |  
‎06-17-2015 04:25 AM

Hi, the solution is not working.

ScreenOS Firewalls (NOT SRX)

Re: DynDNS Certificate Provider Changed - ScreenOS DDNS Client Broken Until New CA Certs Loaded

06.28.15   |  
‎06-28-2015 07:01 AM

After about a few hours of trying I have finally found the cert that is needed to allow the DDNS to work again.

 

DigiCertSHA2SecureServerCA.cer

 

Load this certs and it all works again.

Attachments