How do I verify DDCLIENT is using SSL and if it's not, how do I force it?
I have been following this guide on setting up VPN on my pi. Part of the steps are to set up and configure a dynamic dns service. I have created several accounts across multiple platforms. No Ip and dynamicdns are two to name. Below is an output of my ddclient.conf file, it connects fine on both dynamic dns sites.
daemon=60 # check every 60 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
ssl=yes # use ssl-support. Works with
# ssl-library
use=web, web=myip.dnsdynamic.com # get ip from server.
server=www.dnsdynamic.org # default server
login=YOURUSERNAME # default login
password=YOURPASSWORD # default password
server=www.dnsdynamic.org, \
protocol=dyndns2 \
MYDOMAIN.dnsdynamic.COM
My issue is that in this article, they illustrate how to verify if your pi is connecting over SSL. When I run
sudo ddclient -verbose -debug -noquiet -query
it shows connecting over HTTP vs HTTPS or SSL for each site. I verified that ssl was installed by running
sudo apt-get install ssh libio-socket-ssl-perl
Any ideas on if it's connecting via ssl or how I can force it to? I have ran through this article too. I did see that ddclient stated that it would use SSL if available, I'm wondering if this is a limitation to using a free dynamicdns site or if I'm overlooking something. The articles made it appear as though the sites I'm using like no ip and dnsdynamic support SSL.
Solution 1:
I have found the answer and I feel very silly not figuring it out earlier.
daemon=60 # check every 60 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
ssl=yes # use ssl-support. Works with
# ssl-library
use=web, web=https://myip.dnsdynamic.org # get ip from server.
server=www.dnsdynamic.org # default server
login=USERNAME # default login
password=PASSWORD # default password
server=www.dnsdynamic.org, \
protocol=dyndns2 \
YOUR DOMAIN GOES HERE
The above will force SSL and will connect over SSL. There are two changes I have made.
The line use=web, web=myip.dnsdynamic.com
should be use=web, web=https://myip.dnsdynamic.org
. Changing from .com
to .org
stops connection failures. Adding https://
prior to the connection string allows it to connect over SSL.
Output from use=web, web=myip.dnsdynamic.org
shows:
use=web, web=loopia address is IPADDRESSISHERE
CONNECT: myip.dnsdynamic.org
CONNECTED: using HTTP
SENDING: GET / HTTP/1.0
SENDING: Host: myip.dnsdynamic.org
SENDING: User-Agent: ddclient/3.8.2
SENDING: Connection: close
Output from use=web, web=https://myip.dnsdynamic.org
shows:
use=web, web=loopia address is IPADDRESSISHERE
CONNECT: myip.dnsdynamic.org
The verification of cert '/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA/CN=www.dnsdynamic.org'
failed against the host 'myip.dnsdynamic.org' with the default verification scheme.
THIS MIGHT BE A MAN-IN-THE-MIDDLE ATTACK !!!!
To stop this warning you might need to set SSL_verifycn_name to
the name of the host you expect in the certificate.
CONNECTED: using SSL
SENDING: GET / HTTP/1.0
SENDING: Host: myip.dnsdynamic.org
SENDING: User-Agent: ddclient/3.8.2
SENDING: Connection: close
I am still unsure why forcing ssl=yes
does not cause it to use HTTPS automatically but it is connecting over SSL now and the command as seen by @George helps me verify it is: sudo ddclient -verbose -debug -noquiet -query
Solution 2:
This is only the "get IP" part. The actual update to the dynamic DNS server is not shown in your output. It may still be done over HTTP.
root@ad26e03e9704:/bin# ddclient -daemon=0 -noquiet -debug -file /config/ddclient.conf
DEBUG: get_ip: using cmd, /config/get_ip.sh reports 10.0.0.1
DEBUG:
DEBUG: nic_dyndns2_update -------------------
DEBUG: proxy =
DEBUG: url = http://dyndns.strato.com/nic/update?system=dyndns&hostname=bla.mydomain.com&myip=10.0.0.1
DEBUG: server = dyndns.strato.com
SUCCESS: updating bla.mydomain.com: good: IP address set to 10.0.0.1
If I put https in front of the server, I get:
DEBUG: url = http://https://dyndns.strato.com/nic/update?system=dyndns&hostname=bla.mydomain.com&myip=10.0.0.1