Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
using SSL on namecheap's DDNS with ddclient
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

using SSL on namecheap's DDNS with ddclient

NihimNihim Member
edited October 2016 in Help

I have a domain pointing to a machine that once in a while changes IP (have no control over that), so I setup DDNS on namecheap and installed ddclient. I also added in the config the option to use SSL for its communication.
It works fine but after checking it's using HTTP and I can't make it work with SSL.

ddclient: 3.8.1-1ubuntu2.14.04.1
libio-socket-ssl-perl: 1.965-1ubuntu1

my config:

use=web, web=dynamicdns.park-your-domain.com/getip
ssl=yes
protocol=namecheap
server=dynamicdns.park-your-domain.com
login=etc

-noquiet -verbose -debug shows:

DEBUG: proxy =
DEBUG: url = dynamicdns.park-your-domain.com/getip
DEBUG: server = dynamicdns.park-your-domain.com
CONNECT: dynamicdns.park-your-domain.com
CONNECTED: using HTTP
SENDING: GET /getip HTTP/1.0
SENDING: Host: dynamicdns.park-your-domain.com
SENDING: User-Agent: ddclient/3.8.1
SENDING: Connection: close
SENDING:
RECEIVE: HTTP/1.1 200 OK
RECEIVE: Cache-Control: private
RECEIVE: Content-Length: 13
RECEIVE: Content-Type: text/html
RECEIVE: Server: Microsoft-IIS/8.5
RECEIVE: Set-Cookie: cookie; path=/
RECEIVE: X-Powered-By: ASP.NET
RECEIVE: Date: Wed, 05 Oct 2016 22:09:39 GMT
RECEIVE: Connection: close
then succeeds checking / updating IPs.

according to almighty google's results, it shows SSL instead of http when it does use ssl.

namecheap support replied with

Please mind that in order for SSL connection to be working properly, you need to have 3.7.0 ddclient version and IO::Socket::SSL.

and after I posted my versions and debug they replied with:

As for usage of SSL, regretfully, that is not something we can properly assist you with as the work of SSL certificate depends on such factors as server setup, kind of SSL installed, its provider etc.
Thus, we may recommend you to check the configuration on the server side and discuss the matter with your SSL provider additionally.

which doesn't make sense unless I am missing something. It seems like they are implying the machine should have a full SSL cert?

tldr; if you have working ddclient with ssl on namecheap, how do I do that - what did I do wrong?

Comments

  • From what I see on my 3.8.3 version of ddclient, for Namecheap (and many others) the actual URL that is hit to update the IP is http (NO S).

    Look at the ddclient "binary" (Perl script) which is typically in /usr/sbin/ and look for the nic_namecheap_update function. Right at the top, you'll see (pardon the formatting):

    my $url;
    $url   = "http://$config{$h}{'server'}/update";
    

    You'll see it is hardwired to http. A flip to https should do the trick.

    (I've done precisely this for freedns and it works).

    HTH.

  • NihimNihim Member
    edited October 2016

    @nullnothere said:

    Edited to correct a mistake in my logic

    Tried that and -noquiet -verbose -debug still showed using http, which makes sense since we changed just the url. I am trying to find a way to verify it's really using https.

    I tried sudo strace -e trace=connect ddclient -noquiet -verbose -debug and couldn't see well anything that looked like ssl (but then again I can't really read strace XD)

    So I checked what controls if it uses ssl or not and there is a $force_ssl so I hard-set it to always be true.

    Now -noquiet -verbose -debug shows "using SSL" but hell I am still not sure what it is really using.

  • First, to make sure that the URL change (i.e. http to https) is working correctly, just hard code the url to be something that won't work (or else your own server so you can check the logs and see that it's hitting httpd).

    Once that works it should confirm that you're on the right track.

    This is Perl - so no need for strace (etc). Just copy the ddclient script to a tmp location edit it as you need and run ddclient as you're doing via hand with a -foreground option which will not daemonize and just run one. Also, one more caveat - ddclient prioritizes the config file values over what you pass on the command line. So try to run with a very lean/minimal config file at first to confirm things are being picked up. And of course one more thing - make sure that an existing daemon isn't already running to add to any confusion.

    HTH.

  • NihimNihim Member
    edited October 2016

    @nullnothere changing the url to fubar didn't annoy ddclient at all, it worked fine...

    Anyway I checked strace again and:

    changing http to https gives:

    connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16) = 0
    connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("104.219.")}, 16) = -1 EINPROGRESS (Operation now in progress)
    connect(4, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("104.219.")}, 16) = 0
    

    port 80

    changing $force_ssl to always be true gives:

    connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.1.1")}, 16) = 0
    connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("104.219.")}, 16) = -1 EINPROGRESS (Operation now in progress)
    connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("104.219.")}, 16) = 0
    

    port 443

    so it seems for whatever reason, the $url is ignored.

  • I did a quick read to confirm how things work and here's what I found:

    1. If you flip the URL to https (as I originally posted), there IS code that forces SSL and it works as it flips to port 443.

    2. Ensure that you're testing with en empty configuration so that only the command line options take effect. Or else change the config, and confirm that the changes are being reflected in how ddclient works (run it in foreground mode or ensure that it is NOT running as a daemon).

    3. Rather than using strace, use tcpdump to see how the outgoing connection is (of course a quiet network will help).

    4. Just nuke the cache (/var/cache/ddclient) or else use a separate cache to test things out (-cache path)

    5. Try to just hard code the IP so that it is not trying to detect the IP which can add to the confusion network wise.

    I hope this help you resolve it.

    I have absolutely no problems running this over SSL for freedns.

    Worst case - use a secondary script (via -postscript) to run a custom (sh/bash) script that updates namecheap over SSL via curl/wget with their tokens. Then for the primary dynamic dns setup a dummy/unused one from any one of the free services that works with SSL for your comfort).

  • NihimNihim Member
    edited November 2016

    @nullnothere

    I gave it another go right now. Re-installed it and just changed the http to https.

    Doing ddclient -daemon=0 -noquiet -verbose -debug :

    DEBUG:    proxy  =
    DEBUG:    url    = dynamicdns.park-your-domain.com/getip
    DEBUG:    server = dynamicdns.park-your-domain.com
    CONNECT:  dynamicdns.park-your-domain.com
    CONNECTED:  using HTTP
    SENDING:  GET /getip HTTP/1.0
    SENDING:   Host: dynamicdns.park-your-domain.com
    SENDING:   User-Agent: ddclient/3.8.2
    SENDING:   Connection: close
    SENDING:
    RECEIVE:  HTTP/1.1 200 OK
    RECEIVE:  Cache-Control: private
    RECEIVE:  Content-Length: 14
    RECEIVE:  Content-Type: text/html
    RECEIVE:  Server: Microsoft-IIS/8.5
    RECEIVE:  Set-Cookie: ; path=/
    RECEIVE:  X-Powered-By: ASP.NET
    RECEIVE:  Date: Tue, 08 Nov 2016 23:37:25 GMT
    RECEIVE:  Connection: close
    

    but if I delete the cache:

    DEBUG:    proxy  =
    DEBUG:    url    = dynamicdns.park-your-domain.com/getip
    DEBUG:    server = dynamicdns.park-your-domain.com
    CONNECT:  dynamicdns.park-your-domain.com
    CONNECTED:  using HTTP
    SENDING:  GET /getip HTTP/1.0
    SENDING:   Host: dynamicdns.park-your-domain.com
    SENDING:   User-Agent: ddclient/3.8.2
    SENDING:   Connection: close
    SENDING:
    RECEIVE:  HTTP/1.1 200 OK
    RECEIVE:  Cache-Control: private
    RECEIVE:  Content-Length: 14
    RECEIVE:  Content-Type: text/html
    RECEIVE:  Server: Microsoft-IIS/8.5
    RECEIVE:  Set-Cookie: ; path=/
    RECEIVE:  X-Powered-By: ASP.NET
    RECEIVE:  Date: Tue, 08 Nov 2016 23:26:16 GMT
    RECEIVE:  Connection: close
    RECEIVE:
    RECEIVE:  IP
    DEBUG:    get_ip: using web, dynamicdns.park-your-domain.com/getip reports IP
    INFO:     forcing updating sub because no cached entry exists.
    DEBUG:
    DEBUG:     nic_namecheap1_update -------------------
    INFO:     setting IP address to IP for sub
    UPDATE:   updating sub
    DEBUG:    proxy  =
    DEBUG:    url    = https://dynamicdns.park-your-domain.com/update?host=sub&domain=domain&password=pass&ip=IP
    DEBUG:    server = dynamicdns.park-your-domain.com
    CONNECT:  dynamicdns.park-your-domain.com
    CONNECTED:  using SSL
    SENDING:  GET /update?host=sub&domain=domain&password=password&ip=IP HTTP/1.0
    SENDING:   Host: dynamicdns.park-your-domain.com
    SENDING:   User-Agent: ddclient/3.8.2
    SENDING:   Connection: close
    

    Was I just looking at the IP check call all the time, since I wasn't seeing the nic_name part? :/

  • @Nihim,

    I think you were looking at the wrong output. In any case now that it appears to work I hope you're all set.

    Maybe this post can be closed? Resurrecting something like this after a while will confuse things for sure.

    HTH.

    Thanked by 2GCat Nihim
  • Yap agreed. Thank you for all the help!

    @mods kindly lock it up.

  • @nullnothere said:
    From what I see on my 3.8.3 version of ddclient, for Namecheap (and many others) the actual URL that is hit to update the IP is http (NO S).

    Look at the ddclient "binary" (Perl script) which is typically in /usr/sbin/ and look for the nic_namecheap_update function. Right at the top, you'll see (pardon the formatting):

    my $url;
    $url   = "http://$config{$h}{'server'}/update";
    

    You'll see it is hardwired to http. A flip to https should do the trick.

    (I've done precisely this for freedns and it works).

    HTH.

    Hello HTH, could you please elaborate on how to access this script and make changes accordingly? I am just getting started with linux terminal and have no idea how to open and access files. I am running Jessie Lite on a Raspberry Pi. Thanks in advance!

  • @ytan1201 - not sure which OS you're using and how you've "installed" or setup ddclient.

    Please find the ddclient binary/script (it is usually installed as an executable, so a "whereis ddclient" should point you at the actual file). Typically it is installed in /usr/sbin/ as /usr/sbin/ddclient.

    You can then either edit that file directly (caution advised) or else copy it to /usr/local/sbin (which should be earlier in the path so it should use this version if available) and then edit the relevant lines (as pointed to by my earlier post).

    (the HTH is a short form of "Hope This Helps" - just a way to sign off).

Sign In or Register to comment.