Suboptimal ssl cert renewal scheme

slykens · March 8, 2020, 8:03pm

Hello -

My Channels DVR stopped working remotely a couple of days ago and I'm just now getting time to figure out what's up with it.

Apparently the ssl cert has expired. It will not renew automatically because Channels does not use the system DNS servers and my network blocks all DNS except for a pihole in order to prevent devices from bypassing it.

It appears that 1.1.1.1 and 2606:4700:58::adf5:3bbf are the hardcoded DNS servers channels expects to reach.

Channels should try the system DNS servers before trying to use a hardcoded server. It is not proper behavior to ignore the system DNS.

Further, the process to force renewal of the cert should be more clearly laid out if such a method of renewal is going to be used. In my case I've been banging away on the Update, Remote On/Off, and restarting the app for 15 minutes just to trigger a successful renewal - why doesn't it try to update when it gets a connection request and the cert is expired? Seems to be a good time to trigger a renewal so users could simply try again and have it work, assuming the renewal goes through properly.

racameron · March 8, 2020, 8:43pm

Perhaps this might help:

djcastaldo · March 8, 2020, 9:57pm

you could also add a rule on your router to redirect all requests on port 53 to your pihole. Then it won't matter what IP an app is using. All DNS request will go where you want.

I have my EdgeRouter set up like this with a Destination NAT rule.

Edit: I actually have it set up with two rules for two groups of IPs that cover my whole subnet except for the RPi.

slykens · June 8, 2020, 5:19pm

Well, I am back to this issue again. Why is it still a problem?

I am redirecting noncompliant DNS to my local DNS server. It still doesn't work.

Hardcoded DNS is very stupid - why is is not being used as a last resort?

racameron · June 8, 2020, 5:46pm

Because for remote access, DNS–based verification is used. Channels needs access to the DNS to properly create/renew SSL certs.

And the hardcoded DNS is only used for this purpose, IIRC. Your preferred DNS set by your system does take precedence—at least it does on my system.

tmm1 · June 8, 2020, 6:29pm

Please update to the latest pre-release by click-and-hold on the Check for Updates button. The SSL certificate system has been redesigned not to rely on any local DNS.

slykens · June 8, 2020, 6:43pm

DNS based verification does not require hardcoded DNS unless it is a private namespace. Since this is NOT a private namespace, it is not required.

SSL cert renewal does NOT use system DNS first. Capture the conversation and view it in Wireshark or similar.

slykens · June 8, 2020, 6:45pm

This implies the opposite of what I'm complaining about.

The SSL renewal should try to use system configured DNS first then fail to hardcoded DNS if local DNS does not work. Your description implies that it will not even try local DNS which is the present behavior and is suboptimal.

tmm1 · June 8, 2020, 6:59pm

We no longer make any type of DNS request from the DVR server software for SSL certificate purposes. The hardcoded DNS was removed, and system DNS is not needed any more.

Please update to the new build, and if you're still having problems then click Support > Submit Diagnostics at the top right and email us.