Technical Note : Illegal Fortiddns domains

sripudaman · ‎03-11-2022

Description

This article describes what are legit special characters that can be used in domains while configuring domains on FortiGate

Scope

FortiGate all versions

Solution

Users may face issues in getting the FortiDDNS domains registered.

Configurations are the same for the below Fortigate versions

FortiGate 5.6, 6.0, 6.4, 7.0

Below characters can be used as legit characters in defining a domain and getting it registered on FortiGuard DDNS servers.

“.” and “-”. Any other characters such as “>” “<” “_” “:” etc are not considered legit characters and as a result, the domains do not get registered.

Characters that would work

Notice here that only “.” and “-” are considered as legit special characters as part of a domain.

Whereas other characters aren’t considered legit and will always throw an error

This sometimes may show available too but in the debug output would always fail. Below are the examples of working and non-working setup

Working setup

# dia debug application ddnscd -1

# dia deb en

# execute update-now

1636894422: Start to update FortiGuardDDNS (MBZUH.1208.fortiddns.com)

1636894422: next wait timeout 10 seconds

[111] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)

[111] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1

[721] ssl_ctx_create_new_ex: SSL CTX is created

[748] ssl_new: SSL object is created

fgt_ddns_connect()-725: SSL connecting

[621] __ssl_info_callback: before SSL initialization

[621] __ssl_info_callback: SSLv3/TLS write client hello

__ddns_ssl_connect()-651: ssl_res=1

[621] __ssl_info_callback: SSLv3/TLS write client hello

__ddns_ssl_connect()-651: ssl_res=1

[621] __ssl_info_callback: SSLv3/TLS read server hello

[621] __ssl_info_callback: SSLv3/TLS read server certificate

[645] __ssl_info_callback: Current cert idx 0, SSL verion 'TLS 1.2'

[656] __ssl_info_callback: Got server cert chain, num 3

[664] __ssl_info_callback: Server root issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

[667] __ssl_info_callback: Client root issuer /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com

[596] __ssl_switch_cert: Update with next cert, idx 1

[621] __ssl_info_callback: SSLv3/TLS read server key exchange

[621] __ssl_info_callback: SSLv3/TLS read server certificate request

[621] __ssl_info_callback: SSLv3/TLS read server done

[621] __ssl_info_callback: SSLv3/TLS write client certificate

[621] __ssl_info_callback: SSLv3/TLS write client key exchange

[621] __ssl_info_callback: SSLv3/TLS write certificate verify

[621] __ssl_info_callback: SSLv3/TLS write change cipher spec

[621] __ssl_info_callback: SSLv3/TLS write finished

__ddns_ssl_connect()-651: ssl_res=1

[621] __ssl_info_callback: SSLv3/TLS write finished

[621] __ssl_info_callback: SSLv3/TLS read server session ticket

[621] __ssl_info_callback: SSLv3/TLS read change cipher spec

[621] __ssl_info_callback: SSLv3/TLS read finished

__ddns_ssl_connect()-651: ssl_res=0

[201] __ssl_data_ctx_free: Done

[1012] ssl_free: Done

[193] __ssl_cert_ctx_free: Done

[1022] ssl_ctx_free: Done

[1003] ssl_disconnect: Shutdown

fgd_ddns_extract_fcpr_rcode()-416: code=1

fgd_ddns_extract_fcpr_bound_ip()-446: Bound ip=31.219.155.34

1636894423: Succeed to update FortiGuardDDNS (MBZUH.1208.fortiddns.com ==> 31.219.155.34)

Non-Working Setup

1636893652: Start to update FortiGuardDDNS (MBZUH_1208.fortiddns.com)

1636893652: next wait timeout 10 seconds

[111] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)

[111] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory_Backup.cer, root ca Fortinet_CA_Backup, idx 1

[721] ssl_ctx_create_new_ex: SSL CTX is created

[748] ssl_new: SSL object is created

fgt_ddns_connect()-725: SSL connecting

[621] __ssl_info_callback: before SSL initialization

[621] __ssl_info_callback: SSLv3/TLS write client hello

__ddns_ssl_connect()-651: ssl_res=1

[621] __ssl_info_callback: SSLv3/TLS write client hello

__ddns_ssl_connect()-651: ssl_res=1

[621] __ssl_info_callback: SSLv3/TLS read server hello

[621] __ssl_info_callback: SSLv3/TLS read server certificate

[645] __ssl_info_callback: Current cert idx 0, SSL verion 'TLS 1.2'

[656] __ssl_info_callback: Got server cert chain, num 3

[664] __ssl_info_callback: Server root issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

[667] __ssl_info_callback: Client root issuer /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com

[596] __ssl_switch_cert: Update with next cert, idx 1

[621] __ssl_info_callback: SSLv3/TLS read server key exchange

[621] __ssl_info_callback: SSLv3/TLS read server certificate request

[621] __ssl_info_callback: SSLv3/TLS read server done

[621] __ssl_info_callback: SSLv3/TLS write client certificate

[621] __ssl_info_callback: SSLv3/TLS write client key exchange

[621] __ssl_info_callback: SSLv3/TLS write certificate verify

[621] __ssl_info_callback: SSLv3/TLS write change cipher spec

[621] __ssl_info_callback: SSLv3/TLS write finished

__ddns_ssl_connect()-651: ssl_res=1

[621] __ssl_info_callback: SSLv3/TLS write finished

[621] __ssl_info_callback: SSLv3/TLS read server session ticket

[621] __ssl_info_callback: SSLv3/TLS read change cipher spec

[621] __ssl_info_callback: SSLv3/TLS read finished

__ddns_ssl_connect()-651: ssl_res=0

[201] __ssl_data_ctx_free: Done

[1012] ssl_free: Done

[193] __ssl_cert_ctx_free: Done

[1022] ssl_ctx_free: Done

[1003] ssl_disconnect: Shutdown

fgd_ddns_extract_fcpr_rcode()-416: code=-3

1636893654: Failed on update FortiGuardDDNS (MBZUH_1208.fortiddns.com), next try at 1636893714

Notice the error highlighted in the debugs, Changing the special characters to “.” or “-” will resolve the issue.