DDNSCertificateError: Invalid certificate

bmc24 · 18 June 2025 11:48

Hello Community,

Since today, this error has been displayed on several IPFire systems and no DDNS updates have been performed.
All providers are affected.
freedns.afraid.org, Duck DNS, SPDYN, Selfhost.de, …

Thank you for support

bonnietwin · 18 June 2025 12:24

The DDNS updates are working with the provider I am using - Dynu.com

I just tested it out by changing the IP that dynu.com had for my url and it was updated by IPFire when I did an instant update.

I then searched for that error message in the IPFire DDNS code.

That message is thrown when the DDNS server being accessed has presented an invalid certificate.

I will try and see if I can temporarily get a url from one of those providers to try and reproduce what you are seeing.

hobbybyte · 18 June 2025 11:52

Since today, I’ve been having problems with some DynDNS providers, such as Dynu and NoIP. The update fails with the message:

ddns DDNSCertificateError: Invalid certificate
ddns Dynamic DNS update for xyz.domain1.xxx (Dynu) failed

ddns DDNSCertificateError: Invalid certificate
ddns Dynamic DNS update for xyz.domain2.xxx (NoIP) failed:

This error appears every 5 minutes and no update is performed.
There’s not even an attempt to contact the DDNS provider.
It appears to be an internal issue and is independent of the IPFire version.

hobbybyte · 18 June 2025 12:05

It seems to affect almost all DDNS providers!
The problem doesn’t seem to be with the update, but rather with verifying the IP address.
Interestingly, if you create a new domain, exactly one correct update occurs. After that, only the error occur every 5 minutes.

hobbybyte · 18 June 2025 12:20

My guess is that the certificate of the remote site used to verify the external IP expired yesterday. That would explain the errors.

Yes, the problem is external.

IPFire uses the following server to determine an external IP V4:

checkip4.dns.lightningwirelabs.com

This uses an E6 Let’s Encrypt certificate that expired on June 17, 2025. Unfortunately, no additional server is configured by default for redundancy, so IPFire is dependent on this provider.

@bonnietwin
Since you moved my post, I can only edit it, not reply.
your post is unfortunately not true. The errror has nothing todo with the ddns server. Your dynu config works, while you are not using an external IP. Your IPFire Red Interface get the IP directly. That is another configuration

ag · 18 June 2025 13:12

I’ve passed on this information. Thanks for letting us know. I’m sure it’ll be resolved promptly.

Cheers,
A G

pscar13 · 18 June 2025 13:14

since this morning 1:40 a.m. I also get the error

Jun 18 01:40:00 ipfire ddns[28698]: Dynamic DNS update for <mydomain.xxx> (Dynu) failed:
Jun 18 01:40:00 ipfire ddns[28698]:   DDNSCertificateError: Invalid certificate

When I restart IPFire
Every 5 minutes and also when I try “Instant update” on the ddns.cgi page

hobbybyte · 18 June 2025 14:24

Thanks for passing the info.
The certificate has just been updated.

ag · 18 June 2025 14:24

Hi all

This should now be resolved.

Please can those affected try again and report back?

Thanks,
A G

hobbybyte · 18 June 2025 14:36

Yes, everything is working flawlessly again.
Thank you very much !!!

However, it would be worth considering making such an important service redundant in IPFire. In the current configuration, all DDNS providers depend on the availability of this one server, and something like this can happen from time to time. And by enabling HTST, it was also difficult to circumvent.

bmc24 · 18 June 2025 15:28

The problem is solved.
Thank you very much for your help.