I upgraded my firewall from 18.7.10 to 19.1.2. Now I have an issue with unbound and forwarders via DNSoverTLS.
Unbound starts and is listening on all ips but doesn't resolv any requested names. The unbound log has entries like this:
[1551968079] unbound[33902:1] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1551968079] unbound[33902:1] info: resolving 0.freebsd.pool.ntp.org. AAAA IN
[1551968079] unbound[33902:1] info: processQueryTargets: 0.freebsd.pool.ntp.org. AAAA IN
[1551968079] unbound[33902:1] info: sending query: 0.freebsd.pool.ntp.org. AAAA IN
[1551968079] unbound[33902:1] debug: sending to target: <.> 9.9.9.9#853
[1551968079] unbound[33902:1] debug: cache memory msg=132120 rrset=132120 infra=10617 val=132336
[1551968079] unbound[33902:1] error: ssl handshake failed crypto error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[1551968079] unbound[33902:1] notice: ssl handshake failed 9.9.9.9 port 853
[1551968079] unbound[33902:1] debug: outnettcp got tcp error -1
[1551968079] unbound[33902:1] debug: tcp error for address 9.9.9.9 port 853
[1551968079] unbound[33902:1] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
The happens with flavour default and OpenSSL. I didn't try LibreSSL, because I had problems with it under FreeBSD in the past and switched back to OpenSSL.
I reinstalled the ca_root_nss package without luck.
Any ideas how can I solve this issue?
[1551968079] unbound[33902:1] error: ssl handshake failed crypto error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Failure to verify certs could be indicative of time being improperly set. Add 1.1.1.1 as a system dns resolver and make sure you can sync NTP clock first
Thanks for your answer but it didn't help. The system clock is in sync.
I found a solution for my issue. I added following line to a server block and afterwards the name resolution works.
tls-cert-bundle: /etc/ssl/cert.pem