Uclient-fetch and basic auth

Short version: Install curl to automatically replace uclient-fetch. With curl basic authentication works, with uclient-fetch not.

Longer:
I'm using Eurodns and then their dynamic dns. I didn't get it working and I need to use basic auth in the URL.

The log always had a response from the server explaining authentication failed. Finally I tried the mentioned uclient-fetch command on the router command line and even then the authentication failed. At the same time I was able to successfully update my IP with curl and the URL. That required installing curl package. Then I did some tcpdump and understood the problem. uclient-fetch didn't create the basic authentication header. No wonder authentication failed without any authentication! Then before requesting help from the forums I one last time tried to reproduce the issue to have the log but now I saw curl replacing the uclient-fetch in the log and the IP update succeeding. Apparently, curl did the basic authentication right.

Is this how uclient-fetch should be working or did I miss something? A bug? I'm running OpenWrt SNAPSHOT r10386-030d3f48e5 as snapshot was the recommended image for my ZyXEL NBG6817.

Also, the TLS certificate for update.eurodyndns.org was not found from /etc/ssl/certs after install ca-certificates. It is however found from Firefox so I exported the CA then to my router and specified direct path to it. It did the trick. Is that as it should be?

Additionally some notes if you are using Eurodns DDNS

  • check Eurodns Dynamic DNS documentation
  • install curl package
  • export root CA of update.eurodyndns.org and copy to router. Provide the path to LuCI parameter "Path to CA-Certificate"
  • LuCI Custom update-URL
    https://[USERNAME]:[PASSWORD]@update.eurodyndns.org/update/?hostname=[DOMAIN]&myip=[IP]
  • Fill in the other necessary information

Funny thing, Eurodns instructs to use eurodyndns.org in URL and the certificate is for update.eurodyndns.org.

Any ideas should this be reported as a bug?

uclient-fetch -O /dev/null "https://openwrt.org/"
uclient-fetch -O - "https://eurodyndns.org/"
uclient-fetch -O - "https://update.eurodyndns.org/"
uclient-fetch -O - "https://update.eurodyndns.org/update/"
uclient-fetch -O - "https://[USERNAME]:[PASSWORD]@update.eurodyndns.org/update/?hostname=[DOMAIN]&myip=[IP]"
uclient-fetch -O - --user="[USERNAME]" --password="[PASSWORD]" "https://update.eurodyndns.org/update/?hostname=[DOMAIN]&myip=[IP]"

What does it say?

Path update so the last three require authentication and that fails with uclient-fetch. Works with curl.

EuroDNS Dynamic DNS documentation is here and it explains the answer https://www.eurodns.com/dynamic-dns-documentation

# uclient-fetch -O /dev/null "https://openwrt.org/"
Downloading 'https://openwrt.org/'
Connecting to 2a03:b0c0:3:d0::1af1:1:443
Writing to '/dev/null'

Download completed (29010 bytes)
# uclient-fetch -O /dev/null "https://eurodyndns.org/"
Downloading 'https://eurodyndns.org/'
Connecting to 80.92.65.89:443
Connection error: Server hostname does not match SSL certificate
# uclient-fetch -O - "https://update.eurodyndns.org/update/"
Downloading 'https://update.eurodyndns.org/update/'
Connecting to 80.92.65.89:443
Writing to stdout
badauth
Download completed (7 bytes)
# uclient-fetch -O - --user="validuser" --password="validpass" "https://update.eurodyndns.org/update/?hostname=host%&myip=ip"
Downloading 'https://update.eurodyndns.org/update/?hostname=host%&myip=ip'
Connecting to 80.92.65.89:443
Writing to stdout
badauth
Download completed (7 bytes)
# uclient-fetch -O - "https://validuser:validpass@update.eurodyndns.org/update/?hostname=host&myip=ip"
Downloading 'https://validuser:validpass@update.eurodyndns.org/update/?hostname=host&myip=ip'
Connecting to 80.92.65.89:443
Writing to stdout
badauth
Download completed (7 bytes)
1 Like

To be sure, you can also try the last 2 commands with the same user agent as curl -v.
If you can achieve success using curl with the same credentials and URL, then it really seems like a bug.

Now I notice my post is missing that I was using LuCI dynamic dns configurator. Anyway, when tcpdumping it using uclient-fetch the request did not even have the basic authentication header. I haven't tried capturing traffic now running uclient-fetch on command line.

1 Like

uclient-fetch as a clone of wget uses Auth Challenge. The first request sent without credentials and server should respond with 401 AND realm. Only then wget will send another request with credentials.
When you are using wget you can add --auth-no-challenge option to send the request directly.
I proposed to remove the Auth Challenge from uclient-fetch Uclient-fetch: add more options from wget and uclient-curl

1 Like