OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: rookie on March 07, 2019, 08:10:15 pm

Title: [SOLVED] ssl handshake errors between unbound and DNSoverTLS enabled forwarders
Post by: rookie on March 07, 2019, 08:10:15 pm

I upgraded my firewall from 18.7.10 to 19.1.2. Now I have an issue with unbound and forwarders via DNSoverTLS.
Unbound starts and is listening on all ips but doesn't resolv any requested names. The unbound log has entries like this:

[1551968079] unbound[33902:1] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass         
[1551968079] unbound[33902:1] info: resolving 0.freebsd.pool.ntp.org. AAAA IN                                                   
[1551968079] unbound[33902:1] info: processQueryTargets: 0.freebsd.pool.ntp.org. AAAA IN                                       
[1551968079] unbound[33902:1] info: sending query: 0.freebsd.pool.ntp.org. AAAA IN                                             
[1551968079] unbound[33902:1] debug: sending to target: <.> 9.9.9.9#853                                                         
[1551968079] unbound[33902:1] debug: cache memory msg=132120 rrset=132120 infra=10617 val=132336                               
[1551968079] unbound[33902:1] error: ssl handshake failed crypto error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed                                                                                                             
[1551968079] unbound[33902:1] notice: ssl handshake failed 9.9.9.9 port 853                                                     
[1551968079] unbound[33902:1] debug: outnettcp got tcp error -1                                                                 
[1551968079] unbound[33902:1] debug: tcp error for address 9.9.9.9 port 853                                                     
[1551968079] unbound[33902:1] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply

The happens with flavour default and OpenSSL. I didn't try LibreSSL, because I had problems with it under FreeBSD in the past and switched back to OpenSSL.

I reinstalled the ca_root_nss package without luck.

Any ideas how can I solve this issue?

Title: Re: ssl handshake errors between unbound and DNSoverTLS enabled forwarders
Post by: newsense on March 08, 2019, 07:21:39 am

Code: [Select]

[1551968079] unbound[33902:1] error: ssl handshake failed crypto error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed                                                                                                              Failure to verify certs could be indicative of time being improperly set. Add 1.1.1.1 as a system dns resolver and make sure you can sync NTP clock first

Title: Re: ssl handshake errors between unbound and DNSoverTLS enabled forwarders
Post by: rookie on March 08, 2019, 09:05:16 pm

Thanks for your answer but it didn't help. The system clock is in sync.

Title: [SOLVED] ssl handshake errors between unbound and DNSoverTLS enabled forwarders
Post by: rookie on March 08, 2019, 10:24:43 pm

I found a solution for my issue. I added following line to a server block and afterwards the name resolution works.

Code: [Select]

tls-cert-bundle: /etc/ssl/cert.pem