Upgrading from 23.1 to 23.7 - Newbie Question

[newsense]

OK this is getting weird.

Set up another FW, same steps, different host, and I'm getting a cert validation error.

I don't get why is this an issue or why www.duckdns.org would have to match the SANs in the GUI certificate.

Caused by SSLError(CertificateError("hostname 'www.duckdns.org' doesn't match either of 'opnsense.localdomain', 'opnsense',

[newsense]

OK, Fixed.

Anyone seeing the issue above, check your DNS resolver. Some list(s) block wilcard duckdns.org

[CJ]

franco, CJ and newsense - Thank you all for your input.  I keep on learning with it all.  As for my flash drive collection, old habits die hard.  But still a good choice - portable, can usually get it to boot on any system, and lives in the desk drawer where my servers and network live, so I (usually) can find what I need.

CJ is right - Duckdns uses a token in the password field.  I cut/past it right from my duckdns.org account page.  What is interesting (and probably a good thing?) is while the string from the log is similar in format to my token, they are not the same.  (same 8-4-4-4-12 char cadence)

As I wrote earlier, I set things up based on a recent post from here.  Not really all that much to configure, so unsure if it is dumbness on my end or ...?  Screenshots attached.

I agree with newsense.  Try checking Force SSL.

OK, Fixed.

Anyone seeing the issue above, check your DNS resolver. Some list(s) block wilcard duckdns.org

Such fun. :D

[connervt]

Sorry to have dropped off the radar for several days.  I had been reading your responses (and much appreciate them).  My work has me doing four 12 hour days, then followed by family emergency.

I tried what was suggested previously, none of it giving much success.  I have finally received a positive result from both my logs and duckdns, by doing the unexpected - I set the Backend to ddclient, not native.

I'm not one to argue with success, but I thought that native was developed specifically to work with OPNSense?

[franco]

The problem is if you mix and match and erratically change the backend your account settings are wrong because they belong to the other backend.

The best approach is to pick a backend, clear all the accounts and add them back (making sure not to switch the backend anymore).

https://github.com/opnsense/plugins/issues/3570


Cheers,
Franco

[connervt]

Thanks franco.  I tried again, but end up with the same result.  Working with ddclient as backend.  Not working with native.

I deleted all accounts then removed and reinstalled plugin.  Set a bogus IP address in the duckdns website for my testing domain.  Reinstalled plugin.  Set Backend = native (it defaults to ddclient).  Hit Apply and restarted service.  Created account, Save, Apply.  Result was failue message in log and no update recorded on duckdns website.

Next I deleted account, set backend = ddclient.  Hit Apply and restarted service.  Created account, Save, Apply.  Success message in log and updated IP address shown in duckdns website.

Very strange.  I understand where you were going with your last post, makes perfect sense.  But I guess I'll stay on the ddclient backed for now.  It isn't mission critical for my setup, as it is only used as an ISP/firewall watchdog (all of my true domains are managed via Cloudflare tunnels).

[franco]

My duckdns works on ddclient and native backend that I currently use. Updated yesterday. Just checked IP and it matches.

I don't deny there's an issue. It's just not clear what it is.


Cheers,
Franco

[CJ]

Interesting.  I was afraid I was going to have to recreate my config as franco recommends, but I changed literally nothing except the backend from ddclient to native and everything worked just fine.

The only differences I've seen are that native recognizes that the IP is already set and doesn't need to be changed whereas ddclient would send a change request every interval despite getting a success result.  Also, ddclient would log the actual req/resp while native does not.