DDNS ssl problem update

octopus · April 16, 2026, 7:03pm

My ddns stop updating afraid.org.
I get ssl curl error 35.

The cURL error 35 can appear when the cURL function cannot connect to your website using SSL.

I have test and can't find any that is wrong.

205748  note : PID '26123' started at 2026-04-16 20:57
 205748       : ddns version  : 2.8.3-2
 205748       : uci configuration:
ddns.afraid_ipv4.cacert='/etc/ssl/certs/ca-certificates.crt'
ddns.afraid_ipv4.check_interval='15'
ddns.afraid_ipv4.check_unit='minutes'
ddns.afraid_ipv4.domain='xxxxx.se'
ddns.afraid_ipv4.enabled='1'
ddns.afraid_ipv4.force_interval='10'
ddns.afraid_ipv4.force_unit='days'
ddns.afraid_ipv4.interface='wan'
ddns.afraid_ipv4.ip_source='web'
ddns.afraid_ipv4.ip_url='http://ipv4.ident.me/'
ddns.afraid_ipv4.lookup_host='xxxx.xxxxx.se'
ddns.afraid_ipv4.password='***PW***'
ddns.afraid_ipv4.retry_interval='20'
ddns.afraid_ipv4.retry_max_count='0'
ddns.afraid_ipv4.retry_unit='minutes'
ddns.afraid_ipv4.service_name='afraid.org-keyauth'
ddns.afraid_ipv4.use_https='1'
ddns.afraid_ipv4.use_ipv6='0'
ddns.afraid_ipv4.use_syslog='2'
ddns.afraid_ipv4.username='.'
ddns.afraid_ipv4=service
 205748       : verbose mode  : 0 - run normal, NO console output
 205748       : check interval: 900 seconds
 205748       : force interval: 864000 seconds
 205748       : retry interval: 1200 seconds
 205748       : retry max count : 0 times
 205748       : 'SIGTERM' was send to old process
 205748       : last update: never
 205748       : Detect registered/public IP
 205748       : #> /usr/bin/nslookup xxxx.xxxxx.se  >/var/run/ddns/afraid_ipv4.dat 2>/var/run/ddns/afraid_ipv4.err
 205748       : Registered IP '176.10.xxx.xxx' detected
 205748  info : Starting main loop at 2026-04-16 20:57
 205748       : Detecting current IP using source: web
 205748       : #> /usr/bin/curl -RsS -o /var/run/ddns/afraid_ipv4.dat --stderr /var/run/ddns/afraid_ipv4.err --cacert /etc/ssl/certs/ca-certificates.crt --noproxy '*' 'http://ipv4.ident.me/'
 205748       : Current IP '176.10.xxx.xxx detected via web at 'http://ipv4.ident.me/'
 205749       : Detected IP: 176.10.xxx.xxx
 205749       : Forced Update - L: '176.10.xxx.xxx' == R: '176.10.xxx.xxx'
 205749       : #> /usr/bin/curl -RsS -o /var/run/ddns/afraid_ipv4.dat --stderr /var/run/ddns/afraid_ipv4.err --cacert /etc/ssl/certs/ca-certificates.crt --noproxy '*' 'https://freedns.afraid.org/dynamic/update.php?***PW***&address=176.10.xxx.xxx'
 205749 ERROR : cURL Error: '35'
 205749       : curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields
 205749  WARN : Transfer failed - retry 1/0 in 1200 seconds

frollic · April 16, 2026, 7:09pm

Tried running the 4th line from the bottom from the prompt?

octopus · April 16, 2026, 7:15pm

-sh: /usr/bin/curl: not found

frollic · April 16, 2026, 7:16pm

Skip the path, just curl ... etc.

octopus · April 16, 2026, 7:17pm

curl: (23) client returned ERROR on write of 57 bytes

frollic · April 16, 2026, 7:19pm

Remove the --stderr param or check content of /var/run/ddns/afraid_ipv4.err.

octopus · April 16, 2026, 7:20pm

Wait, tested on wrong device.

octopus · April 16, 2026, 7:21pm

This right.
-ash: ts/ca-certificates.crt: not found

frollic · April 16, 2026, 7:22pm

There's a ca cert package (full name unknown), is it installed ?

octopus · April 16, 2026, 7:25pm

Yes, I have ca-packages installed.

When tested now with String and only "curl" it seems to working.

curl -RsS -o /var/run/ddns/afraid_ipv4.dat --stderr /var/run/ddns/afraid_ipv4.err --cacert /etc/ssl/certs/ca-certificates.crt
--noproxy '*' 'https://freedns.afraid.org/dynamic/update.php?<key>&address=176.10.xxx.xxx'

octopus · April 16, 2026, 7:28pm

It's even working with: /usr/bin/curl

AndrewZ · April 16, 2026, 7:38pm

Consider using "v2 token", option #1 here: https://openwrt.org/docs/guide-user/services/ddns/client#freednsafraidorg

octopus · April 16, 2026, 7:41pm

Okey, I can test

octopus · April 16, 2026, 7:48pm

Same Curl error 35 with "v2 token"

curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields

AndrewZ · April 16, 2026, 7:54pm

Restart DDNS, not the individual service, then post the client log like one in the 1st message.

octopus · April 16, 2026, 8:00pm

215658  note : PID '14253' terminated by 'SIGTERM' at 2026-04-16 21:56
 215658       : ************ ************** ************** **************
 215658  note : PID '14990' started at 2026-04-16 21:56
 215658       : ddns version  : 2.8.3-2
 215658       : uci configuration:
ddns.afraid_ipv4.check_interval='15'
ddns.afraid_ipv4.check_unit='minutes'
ddns.afraid_ipv4.domain='xinit.se'
ddns.afraid_ipv4.enabled='1'
ddns.afraid_ipv4.force_interval='10'
ddns.afraid_ipv4.force_unit='days'
ddns.afraid_ipv4.interface='wan'
ddns.afraid_ipv4.ip_source='web'
ddns.afraid_ipv4.ip_url='http://checkip.dyndns.com'
ddns.afraid_ipv4.lookup_host='four.xinit.se'
ddns.afraid_ipv4.password='***PW***'
ddns.afraid_ipv4.retry_interval='20'
ddns.afraid_ipv4.retry_max_count='0'
ddns.afraid_ipv4.retry_unit='minutes'
ddns.afraid_ipv4.service_name='afraid.org-v2-token'
ddns.afraid_ipv4.use_ipv6='0'
ddns.afraid_ipv4.use_syslog='2'
ddns.afraid_ipv4.username='.'
ddns.afraid_ipv4=service
 215658       : verbose mode  : 0 - run normal, NO console output
 215658       : check interval: 900 seconds
 215658       : force interval: 864000 seconds
 215658       : retry interval: 1200 seconds
 215658       : retry max count : 0 times
 215658       : 'SIGTERM' was send to old process
 215659       : last update: never
 215659       : Detect registered/public IP
 215659       : #> /usr/bin/nslookup four.xinit.se  >/var/run/ddns/afraid_ipv4.dat 2>/var/run/ddns/afraid_ipv4.err
 215659       : Registered IP '176.10.xxx.xxx' detected
 215659  info : Starting main loop at 2026-04-16 21:56
 215659       : Detecting current IP using source: web
 215659       : #> /usr/bin/curl -RsS -o /var/run/ddns/afraid_ipv4.dat --stderr /var/run/ddns/afraid_ipv4.err --noproxy '*' 'http://checkip.dyndns.com'
 215659       : Current IP '176.10.xxx.xxx' detected via web at 'http://checkip.dyndns.com'
 215659       : Detected IP: 176.10.xxx.xxx
 215659       : Update needed - L: '176.10.xxx.xxx' <> R: '176.10.xxx.xxx'
 215659       : #> /usr/bin/curl -RsS -o /var/run/ddns/afraid_ipv4.dat --stderr /var/run/ddns/afraid_ipv4.err --noproxy '*' 'https://sync.afraid.org/u/***PW***/?address=176.10.xxx.xxx'
 215659 ERROR : cURL Error: '35'
 215659       : curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields
 215659  WARN : Transfer failed - retry 1/0 in 1200 seconds

AndrewZ · April 16, 2026, 8:10pm

It works for me as we speak.
Do you see the same error with curl -I https://sync.afraid.org ?
Is the timezone correct on your router?

octopus · April 16, 2026, 8:13pm

root@Defcon:~# curl -I https://sync.afraid.org
curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields

Yes, is local time and it's right

AndrewZ · April 16, 2026, 8:14pm

Let's compare curl -V output.

octopus · April 16, 2026, 8:15pm

root@Defcon:~# curl -V
curl 8.19.0 (aarch64-openwrt-linux-gnu) libcurl/8.19.0 mbedTLS/3.6.6 nghttp2/1.66.0
Release-Date: 2026-03-11
Protocols: file ftp ftps http https mqtt mqtts
Features: alt-svc HSTS HTTP2 HTTPS-proxy IPv6 Largefile SSL threadsafe UnixSockets