willswire
OpenSSL handshake error 40 when updating..
Configured and setup worker / when updating from Unifi I get the following:
Host and IP obscured.
root@WCDream-Wall:~# inadyn -n -1 --force -f /run/ddns-eth18-inadyn.conf
inadyn[489163]: In-a-dyn version 2.9.1 -- Dynamic DNS update client.
inadyn[489163]: Update forced for alias dynamic.fakedomain.net, new IP# 4#.19#.13#.2##
inadyn[489163]: OpenSSL error: 548520930960:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1562:SSL alert number 40
root@WCDream-Wall:~#
Seeing the same here, just provisioned a brand new UCG-Ultra:
root@Cloud-Gateway-Ultra:~# inadyn -n -1 --force -f /run/ddns-eth4-inadyn.conf
inadyn[64329]: In-a-dyn version 2.12.0 -- Dynamic DNS update client.
inadyn[64329]: Update forced for alias test.domain.name, new IP# 1.2.3.4
inadyn[64329]: OpenSSL error: 548321070736:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1562:SSL alert number 40
root@Cloud-Gateway-Ultra:~#
For now I've just commented out the default config and added this, since Cloudflare is a natively supported in inadyn. It seems to work when running manually but I assume it will be nuked by the GUI at some stage. My IPv4 address doesn't change often either!
After the update I'm getting this:
root@GatewayVIE:~# inadyn -n -1 --force -f /run/ddns-eth4-inadyn.conf
inadyn[647553]: In-a-dyn version 2.12.0 -- Dynamic DNS update client.
inadyn[647553]: Update forced for alias gateway.domain.com, new IP# 1.2.3.4
inadyn[647553]: Fatal error in DDNS server response: DDNS server response not OK
inadyn[647553]: Error response from DDNS server, exiting!
inadyn[647553]: Error code 48: DDNS server response not OK
Are you omitting
https://from the server field? Yes, I do.
But I think I found the underlying root cause already with applied --loglevel=debug:
More than one zone was found! You must supply an API Token scoped to a single zone.
However the API token is already restricted to a single DNS zone (plus Account -> Worker Scripts -> Edit). Not sure if latter is needed.
After removing the "Worker Scripts" entry from the API token it looks better but not entirely good:
inadyn[977673]: Successfully sent HTTPS request!
inadyn[977673]: Successfully received HTTPS response (784/8191 bytes)!
inadyn[977673]: DDNS server response: HTTP/1.1 200 OK
Date: Mon, 30 Dec 2024 16:09:36 GMT
Content-Length: 0
Connection: close
Cf-Placement: local-VIE
Report-To: {"endpoints":[{"url":"REDACTED"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fa34b823e28c30a-VIE
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=9967&min_rtt=9367&rtt_var=3569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=730&delivery_rate=224565&cwnd=247&unsent_bytes=0&cid=3b39e96b37c4a834&ts=2824&x=0"
inadyn[977673]: Fatal error in DDNS server response: DDNS server response not OK
inadyn[977673]:
inadyn[977673]: Error response from DDNS server, exiting!
inadyn[977673]: Error code 48: DDNS server response not OK
So it looks like the response code is 200 OK but the content length is 0. Probably inadyn expects a content.
Running into the same error response. IP address updates in the record in Cloudflare. Shows in inadyn output as an error despite being successful
root@Peacock:~# inadyn -n -1 --force -f /run/ddns-eth8-inadyn.conf --loglevel=debug inadyn[2938759]: In-a-dyn version 2.12.0 -- Dynamic DNS update client. inadyn[2938759]: Resolving hostname xxx.works => IP# 96.xxx.xxx.xxx inadyn[2938759]: Get address for custom inadyn[2938759]: Checking for IP# change, querying interface eth8 inadyn[2938759]: Checking IPv4 address 96.xxx.xxx.xxx ... inadyn[2938759]: IPv4 address 96.xxx.xxx.xxx is valid. inadyn[2938759]: IPv6 address disallowed, enable with 'allow-ipv6 = true' inadyn[2938759]: Invalid/local address fe80::xxxxxxxxxxxxx for eth8, skipping ... inadyn[2938759]: Checking IPv4 address 96.xxx.xxx.xxx ... inadyn[2938759]: IPv4 address 96.xxx.xxx.xxx is valid. inadyn[2938759]: No IP# change detected for custom, still at 96.xxx.xxx.xxx inadyn[2938759]: Update forced for alias xxx.works, new IP# 96.xxx.xxx.xxx inadyn[2938759]: Sending IP# update to DDNS server, connecting to unifi-cloudflare-ddns.xxx-yyy.workers.dev([104.21.94.183]:443) inadyn[2938759]: Sending IP# update to DDNS server, initiating HTTPS ... inadyn[2938759]: SSL connection using TLS_AES_256_GCM_SHA384 inadyn[2938759]: Certificate OK inadyn[2938759]: SSL server cert subject: /CN=xxx.workers.dev inadyn[2938759]: SSL server cert issuer: /C=US/O=Google Trust Services/CN=WE1 inadyn[2938759]: Sending alias table update to DDNS server: GET /update?ip=96.xxx.xxx.xxx&hostname=xxx.works HTTP/1.0 Host: unifi-cloudflare-ddns.xxx-yyy.workers.dev Authorization: Basic a29jaCcnhdxjyfhjlAZ21haWwuY29tOnBsSVdWeUI1X2ZTV1BRUFBPRDd0VmtuVjdCWTZQbEFvRUh User-Agent: inadyn/2.12.0 https://github.com/troglobit/inadyn/issues
inadyn[2938759]: Successfully sent HTTPS request! inadyn[2938759]: Successfully received HTTPS response (779/8191 bytes)! inadyn[2938759]: DDNS server response: HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 16:22:31 GMT Content-Length: 0 Connection: close Cf-Placement: local-EWR Report-To: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=dwVrjtIOm41gU%2FULTB1etTFIQD94tWkUfzoQ%2BKctnttpP3udqbRl9h5fZSwKPzdYAkmG4hhlftNtk2jeKNheA3S9NmzfYaEOmMZbTwP88EtEa4%2FEh2c1yX4au0cEzWFhOOdi63US4QJHZ9FX%2FyOvzwI23rRoEovIBoq0bBbm4f8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa35e7ac87e43ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6742&min_rtt=6736&rtt_var=2530&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2860&recv_bytes=731&delivery_rate=429928&cwnd=242&unsent_bytes=0&cid=38f7dcef1f159c0a&ts=929&x=0"
inadyn[2938759]: Fatal error in DDNS server response: DDNS server response not OK inadyn[2938759]: inadyn[2938759]: Error response from DDNS server, exiting! inadyn[2938759]: Error code 48: DDNS server response not OK
Are you omitting
https://from the server field? Yes, I do.But I think I found the underlying root cause already with applied
--loglevel=debug:
More than one zone was found! You must supply an API Token scoped to a single zone.However the API token is already restricted to a single DNS zone (plus Account -> Worker Scripts -> Edit). Not sure if latter is needed.
Are you using a User API Token or an Account API Token? Only the User API Token is supported
Are you using a User API Token or an Account API Token? Only the User API Token is supported
Yes, it's a user API token; not a global API key. But removing the account worker scripts permissions made it a step further (see https://github.com/willswire/unifi-ddns/issues/75#issuecomment-2565672596). But inadyn is still not satisfied with the response...
Yeah that’s weird @mike2307. Let’s try adding some content to the response and see if that helps.
@mike2307 can you try deploying the 75-openssl-handshake-error-40-when-updating branch, which includes content in the HTTP 200 success response?
@mike2307 can you try deploying the
75-openssl-handshake-error-40-when-updatingbranch, which includes content in theHTTP 200success response?
Yes! This results in a success. :+1: