diff --git a/plugins/dynamix/SSLSettings.page b/plugins/dynamix/SSLSettings.page
index c4066fe70..3f57ecc99 100644
--- a/plugins/dynamix/SSLSettings.page
+++ b/plugins/dynamix/SSLSettings.page
@@ -27,12 +27,16 @@ function provisionSSL(internalip, keyfile, form) {
         result = false;
     };
 
-    $.post('https://keys.lime-technology.com/account/ssl/provisioncert',{internalip:internalip,externalip:'no',keyfile:keyfile},function(data) {
+    $.post('https://keys.lime-technology.com/account/ssl/provisioncert',{internalip:internalip,keyfile:keyfile},function(data) {
+      if (data.bundle) {
         $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:'<?=$var['csrf_token']?>'},function(data) {
-            var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
-                      "for local IP address "+internalip+" has been created on unraid.net.";
-            swal({title:'',text:msg,type:'success'},function(){form.submit();});
+          var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
+                    "for local IP address "+internalip+" has been created on unraid.net.";
+          swal({title:'',text:msg,type:'success'},function(){form.submit();});
         }).fail(failure);
+      } else {
+        failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}});
+      }
     }).fail(failure);
     return result;
 }
@@ -64,12 +68,12 @@ Use SSL/TLS:
 > We **highly** recommend using a static IP address if https is enabled.
 
 http port:
-: <input type="text" name="PORT" maxlength="80" value="<?=htmlspecialchars($var['PORT'])?>">
+: <input type="number" name="PORT" min="0" max="65535" value="<?=htmlspecialchars($var['PORT'])?>">
 
 > Enter the http port, default is 80.
 
 https port:
-: <input type="text" name="PORTSSL" maxlength="80" value="<?=htmlspecialchars($var['PORTSSL'])?>">
+: <input type="number" name="PORTSSL" min="0" max="65535" value="<?=htmlspecialchars($var['PORTSSL'])?>">
 
 > Enter the https port, default is 443.
 
diff --git a/plugins/dynamix/include/CertUpload.php b/plugins/dynamix/include/CertUpload.php
index fb00ea483..a317d4141 100644
--- a/plugins/dynamix/include/CertUpload.php
+++ b/plugins/dynamix/include/CertUpload.php
@@ -16,7 +16,20 @@ $text = $_POST['text'] ?? '';
 file_put_contents('/boot/config/ssl/certs/certificate_bundle.pem.new', $text);
 
 //validate certificate_bundle.pem.new is for *.unraid.net before moving it over to certificate_bundle.pem
-if (preg_match('/CN=[0-9a-f]{40}\.unraid\.net$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'))) {
+if (preg_match('/CN=([0-9a-f]{40}\.unraid\.net)$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'), $matches)) {
+  // Successful cases:
+  //   If unraid.net and <hash>.unraid.net both fail then the dns servers are inaccessible ==> cross-fingers and hope their browser has proper dns
+  //   If unraid.net and <hash>.unraid.net both resolve ==> dns rebinding protection isn't going to be a issue
+  //
+  // Failure case:
+  //   If unraid.net resolves but <hash>.unraid.net fails ==> dns rebinding protection is a issue
+  if (count(dns_get_record('unraid.net', DNS_A)) !== count(dns_get_record($matches[1], DNS_A))) {
+    http_response_code(406);
+    header("Content-Type: application/json");
+    echo json_encode(['error' => 'Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working.  See help for more details and workarounds']);
+    exit;
+  }
+
   rename('/boot/config/ssl/certs/certificate_bundle.pem.new', '/boot/config/ssl/certs/certificate_bundle.pem');
 } else {
   unlink('/boot/config/ssl/certs/certificate_bundle.pem.new');