I am trying to set up SoftEther and have run into a problem with dynamic DNS on my VPN server. For my global IP address it says
"Unable to trust the certificate provided by the destination server. The setting to always verify the server certificate is enabled in the VPN Connection Settings. Either register a root certificate that can be trusted or register a individual certificate."
That is odd so I look at our firewall. Our firewall is resigning the certificate for the dynamic DNS servers as "untrusted". Hmm very odd. In the logs the firewall lists the resigned certificate asIP Address 130.158.6.119 Resolved Domain xe.x4.servers.ddns.softether-network.net] but when I check the certificate online I get
Common name : ddns-register-1.sehosts.com
Alternative names (SANs) :
Organization: sehosts.com
Issuer : ddns-register-1.sehosts.com
Ahh thus my firewall problem that the resolved name doesn't match the certificate name and it gets resigned as untrusted by my firewall.
Where do I update the server address for the SoftEther dynamic DNS servers so I can use ddns-register-1.sehosts.com? Or does anyone have any other ideas? Turning off our firewall SSL protection is obviously not a solution.
Thanks!!!
Dynamic DNS certificate problem
-
solo
- Posts: 1282
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dynamic DNS certificate problem
The DDNS and SE server certificate issues are completely separate. Your DPI firewall is messing up with both. You can ignore DDNS, and for the server do https://www.vpnusers.com/viewtopic.php? ... 21#p100276
-
Whaleya
- Posts: 2
- Joined: Sat Dec 09, 2023 2:44 pm
Re: Dynamic DNS certificate problem
Hmmm.... my internet provider uses NAT so I need to use DDNS. (so I have NAT on the WAN port of my firewall) On our SoftEther server management page, under DDNS assigned host name it says "none" I'm trying to get a DDNS assigned host name so I can use SoftEther as my VPN solution. (I haven't gotten to the client config stage yet)
When I look at the firewall log files it shows xe.x4.servers.ddns.softether-network.net. If you enter that into any number of SSL checker services you get warnings that the certificate is self-signed and that none of the common names in the certificate match the name that was entered (xe.x4.servers.ddns.softether-network.net )
On the firewall, the way Fortigate works, I am not doing a full SSL inspection so I don't have to install a new CA certificate on my PC - the firewall isn't resigning everything. BUT since the firewall's limited inspection is seeing a basic issue with the DDNS server certificate it's flagging it (it was blocking it before I relaxed my SSL certificate rules in testing). The, now flagged certificate, is now getting rejected by SoftEther as untrusted.
To me, it really looks like it's not an issue with my firewall but an issue with the DDNS server certificate itself, hosted in Japan.
-W
When I look at the firewall log files it shows xe.x4.servers.ddns.softether-network.net. If you enter that into any number of SSL checker services you get warnings that the certificate is self-signed and that none of the common names in the certificate match the name that was entered (xe.x4.servers.ddns.softether-network.net )
On the firewall, the way Fortigate works, I am not doing a full SSL inspection so I don't have to install a new CA certificate on my PC - the firewall isn't resigning everything. BUT since the firewall's limited inspection is seeing a basic issue with the DDNS server certificate it's flagging it (it was blocking it before I relaxed my SSL certificate rules in testing). The, now flagged certificate, is now getting rejected by SoftEther as untrusted.
To me, it really looks like it's not an issue with my firewall but an issue with the DDNS server certificate itself, hosted in Japan.
-W
-
solo
- Posts: 1282
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dynamic DNS certificate problem
Either uncheck "Always Verify Server Certificate" or do as advised.