starred/nsupdate.info-nsupdate-info

Fork 0

mirror of https://github.com/nsupdate-info/nsupdate.info.git synced 2026-04-25 08:35:56 +03:00

[GH-ISSUE #487] OpenWrt ddns-scripts returns error - "Invalid SSL certificate" ? #360

New issue

Closed

opened 2026-02-26 10:31:03 +03:00 by kerem · 5 comments

kerem commented

2026-02-26 10:31:03 +03:00

Owner

Originally created by @jaimet on GitHub (Oct 8, 2021).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/487

Hi.

I've recently discovered that the ddns-scripts updater (that I am using in my OpenWrt router) appears to be having problems. I see the following in the syslog:

Thu Oct  7 17:59:51 2021 user.err ddns-scripts[15728]: nsupdateinfo_ipv4: uclient-fetch Error: '5'
Thu Oct  7 17:59:51 2021 user.warn ddns-scripts[15728]: nsupdateinfo_ipv4: Transfer failed - retry 5842/0 in 60 seconds

I think that I have traced the problem back to:

# /bin/uclient-fetch --ca-certificate=/etc/ssl/cert.pem 'https://ipv4.nsupdate.info'
Downloading 'https://ipv4.nsupdate.info'
Connecting to 213.239.209.163:443
Connection error: Invalid SSL certificate

I realise and understand that this is not an OpenWrt support site, but as far as I am aware, I have changed nothing in my router for the past 3 months. Are you aware of any recent changes (with nsupdate.info) that may cause this?

With kind regards, Jaime

Originally created by @jaimet on GitHub (Oct 8, 2021). Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/487 Hi. I've recently discovered that the ddns-scripts updater (that I am using in my OpenWrt router) appears to be having problems. I see the following in the syslog: ``` Thu Oct 7 17:59:51 2021 user.err ddns-scripts[15728]: nsupdateinfo_ipv4: uclient-fetch Error: '5' Thu Oct 7 17:59:51 2021 user.warn ddns-scripts[15728]: nsupdateinfo_ipv4: Transfer failed - retry 5842/0 in 60 seconds ``` I think that I have traced the problem back to: ``` # /bin/uclient-fetch --ca-certificate=/etc/ssl/cert.pem 'https://ipv4.nsupdate.info' Downloading 'https://ipv4.nsupdate.info' Connecting to 213.239.209.163:443 Connection error: Invalid SSL certificate ``` I realise and understand that this is not an OpenWrt support site, but as far as I am aware, I have changed nothing in my router for the past 3 months. Are you aware of any recent changes (with nsupdate.info) that may cause this? With kind regards, Jaime

kerem closed this issue

2026-02-26 10:31:03 +03:00

kerem commented

2026-02-26 10:31:04 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Oct 9, 2021):

You can check our certificate by invoking this url with a browser: it is a letsencrypt cert.

Maybe you need to update your root certificates / ca certificates.

@ThomasWaldmann commented on GitHub (Oct 9, 2021): You can check our certificate by invoking this url with a browser: it is a letsencrypt cert. Maybe you need to update your root certificates / ca certificates.

kerem commented

2026-02-26 10:31:04 +03:00

Author

Owner

@jaimet commented on GitHub (Oct 9, 2021):

Ok. I don't know what url you were referring to, but I triggered/found this during my investigation, and obviously the results indicate that the problem is not with your certificate.

I'm currently using openwrt's latest root certificates / ca certificate package, so I don't think is the cause of the problem. It may be a problem with the new ssl library that I'm using.

I'll close this now, but I am going to keep digging, and I will update this issue with any useful information that I find. Thank you for your reply, but above all, thank you for nsupdate.info. 🙏

@jaimet commented on GitHub (Oct 9, 2021): Ok. I don't know what url you were referring to, but I triggered/found [this](https://www.ssllabs.com/ssltest/analyze.html?d=ipv4.nsupdate.info) during my investigation, and obviously the results indicate that the problem is *not* with your certificate. I'm currently using openwrt's latest [root certificates / ca certificate package](https://openwrt.org/packages/pkgdata/ca-bundle), so I don't think is the cause of the problem. It may be a problem with the [new ssl library](https://openwrt.org/packages/pkgdata/libustream-wolfssl20201210) that I'm using. I'll close this now, but I am going to keep digging, and I will update this issue with any useful information that I find. Thank you for your reply, but above all, thank you for nsupdate.info. :pray:

kerem commented

2026-02-26 10:31:04 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Oct 10, 2021):

Looks like you need TLS 1.2 or 1.3 and up-to-date ca certs.

@ThomasWaldmann commented on GitHub (Oct 10, 2021): Looks like you need TLS 1.2 or 1.3 and up-to-date ca certs.

kerem commented

2026-02-26 10:31:04 +03:00

Author

Owner

@jaimet commented on GitHub (Oct 12, 2021):

Found it! It seems that I am not alone. - it is an issue with wolfssl, triggered by the expiration of one of the letsencrypt global root certs. Interestingly, there is no later ca-bundle, presumably because both openssl and mbedTLS can deal correctly with the expiration (by automatically switching to the other certification path). HTH.

@jaimet commented on GitHub (Oct 12, 2021): Found it! [It seems that I am not alone.](https://forum.openwrt.org/t/107891) - it is an issue with wolfssl, triggered by the expiration of one of the letsencrypt global root certs. Interestingly, there is no later ca-bundle, presumably because both openssl and mbedTLS can deal correctly with the expiration (by automatically switching to the other certification path). HTH.

kerem commented

2026-02-26 10:31:04 +03:00

Author

Owner

@ThomasWaldmann commented on GitHub (Oct 13, 2021):

Ah, yeah, that explains it.

@ThomasWaldmann commented on GitHub (Oct 13, 2021): Ah, yeah, that explains it.

kerem referenced this issue

2026-02-26 10:31:37 +03:00

[PR #360] [MERGED] more exception fixes #470