1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DDNS update to https domain that is self signed

Discussion in 'Tomato Firmware' started by tomval2k, May 21, 2013.

  1. tomval2k

    tomval2k Reformed Router Member

    Using Tomato v1.28 I am trying to setup DDNS to point to my own webserver. I would like to use an encrypted URL via a self-signed certificate.

    From either a SSH terminal or the web gui, I can run the update:
    $ ddns-update 1
    $ cat /tmp/var/lib/mdu/ddnsx1.msg
    Unknown error (-1).
    If I change the URL to an alternate SSL site, e.g. https ://ca.isohunt.com/lite/, the result of ddns-update is that the ddnsx1.msg reports that the update is succesful.

    I am guessing that is because the SSL cert there is not self-signed, but I can't work out where ddns-update is getting the list of know certificate authorities from.

    Anyone with any ideas?

  2. lancethepants

    lancethepants Network Guru Member

    Get yourself a free signed cert with startssl. I use them for multiple domains for SSL encrypted sites.
  3. philess

    philess Networkin' Nut Member

    Can you not use a direct update url? use "wget --no-check-certificate" then. Its working fine to update my own domain with dynamic subdomains (hosted on joker.com).
  4. tomval2k

    tomval2k Reformed Router Member

    @lancethepants, I suppose I could do that but I want to keep my own root CA in place (admittedly this is making life slightly more difficult)

    @philess, the version of wget supplied does not actually support https at all, so can not be used to retrieve any SSL site irrespective of the validity of the certificate

    I have thought of another way: tomato comes with dropbear and as I already have a user on my server set up for my router to login via SSH, I can create a SSH tunnel from my router to my server.

    I can then just use commands like:
    ssh -g -N -L 8080:localhost:80 vpsUser@remoteVPS -p 22 -i dropbear.key -f & echo $!
    kill $(pidof ssh)
    and I will be communicating with my web server securely

    I still do not understand though what ddns-update is using to validate the certificates of the webservers it connects to if a SSL url is specified.

  5. philess

    philess Networkin' Nut Member

    Oh right, i forgot. Well you could either use a additional full-featured wget binary or install curl from Entware.
  6. lancethepants

    lancethepants Network Guru Member

    I have a completely static version of gnu/wget with ssl and zlib on my site, so no external dependencies. Compressed with upx to ~765KB. This could be placed in /jffs or USB stick.
    Monk E. Boy and philess like this.

Share This Page