OPNsense Forum
English Forums => 24.7 Production Series => Topic started by: longtom on December 03, 2024, 02:32:42 pm
-
My Unbound DNS over TLS is NOK with 24.7.10.
When i disable DNS over TLS it is OK again.
Edit: With todays version 24.7.10!
-
Also seeing similar issue with DNS over TLS. I had no System DNS servers set & was relying on Unbound to handle the resolution. (Adding a System DNS server remedied the issue for me for now)
Sample Unbound log:
2024-12-03T08:51:22-05:00 Notice unbound [57387:1] notice: ssl handshake failed 1.1.1.1 port 853
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: ssl handshake cert error: unable to get local issuer certificate
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:0A000086:SSL routines::certificate verify failed
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:80000002:system library::No such file or directory
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:16000069:STORE routines::unregistered scheme
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:80000002:system library::No such file or directory
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:16000069:STORE routines::unregistered scheme
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:80000002:system library::No such file or directory
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: ssl handshake failed crypto error:16000069:STORE routines::unregistered scheme
NTP was also unable to synchronize due to failed DNS lookups.
-
Yup, add me to the list as well. Took me a bit to figure out why DNS was borked after the update. Disabling DNS over TLS resolves it.
-
I am seeing the same behavior.
-
Just posted on the other thread with the same issue.
-
From the release notes:
o system: remove the SSL bundles in default locations
Is this unbound still using these SSL bundles?
-
Looks like an Unbound bug to me:
# opnsense-patch https://github.com/opnsense/core/commit/cdb8da72661
Patch, apply Unbound settings, test again. I can hotfix and see what fix upstream needs here.
Cheers,
Franco
-
Apparently it's a feature they coined to be for "Windows" and default to off?
tls-win-cert: yes
instead of tls-cert-bundle... can anyone confirm?
Thanks,
Franco
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
-
Hi Franco,
The patch seems to work from my end.
Thanks a lot.
-
How can I apply the patch and restart the service without overwriting the configuration? pluginctl overwrited dot.conf. *BSD is not my strong suit.
EDIT:
nevermind, realized opnsense uses template files after using my eyes and looking at the repo properly. All fixed now. Thank you!
-
Patch works for me.
-
How can I apply the patch and restart the service without overwriting the configuration? pluginctl overwrited dot.conf. *BSD is not my strong suit.
Just run the "opnsense-patch URL" command in the shell. It will do everything except hit apply for you.
-
Apparently it's a feature they coined to be for "Windows" and default to off?
tls-win-cert: yes
instead of tls-cert-bundle... can anyone confirm?
Thanks,
Franco
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I don't see either of these entries in my unbound.conf file. Should I check somewhere else?
-
Apparently it's a feature they coined to be for "Windows" and default to off?
tls-win-cert: yes
instead of tls-cert-bundle... can anyone confirm?
Thanks,
Franco
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I don't see either of these entries in my unbound.conf file. Should I check somewhere else?
They would be in /var/unbound/etc/dot.conf
-
No, /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf otherwise it will be overwritten on apply.
-
Apparently it's a feature they coined to be for "Windows" and default to off?
tls-win-cert: yes
instead of tls-cert-bundle... can anyone confirm?
Thanks,
Franco
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I don't see either of these entries in my unbound.conf file. Should I check somewhere else?
They would be in /var/unbound/etc/dot.conf
Hmm, ok the link he quoted mentioned the unbound.conf. My dot.conf file other than a single forwarding zone is empty.
-
24.7.10_1 is now live...
-
No, /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf otherwise it will be overwritten on apply.
Thanks, mine is currently un-patched, I show " tls-system-cert: yes".
-
> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".
Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?
If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.
Cheers,
Franco
-
Thanks a lot for the quick patch! :)
-
> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".
Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?
If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.
Cheers,
Franco
Adding "tls-win-cert" in the line below didn't fix it. But replacing "tls-system-cert: yes" with "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" did restore functionality.
Do I need to leave the "tls-win-cert: yes" in place?
-
24.7.10_1 works fine for me. Thank you :)
-
Apparently it's a feature they coined to be for "Windows" and default to off?
tls-win-cert: yes
instead of tls-cert-bundle... can anyone confirm?
Thanks,
Franco
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I don't see either of these entries in my unbound.conf file. Should I check somewhere else?
They would be in /var/unbound/etc/dot.conf
Hmm, ok the link he quoted mentioned the unbound.conf. My dot.conf file other than a single forwarding zone is empty.
The documentation for `unbound.conf` just shows every available option - Unbound is one of the (sensible) apps which allows for options to be spread across multiple configuration files, for example some provided by a package manager (eligible for overwriting) and some manually (which should not be overwritten). Or separated out by purpose/feature.
So `/var/unbound/etc/dot.conf` will contain a rendered config file with the configuration entries from the `unbound.conf` man page, which are relevant for DNS-over-TLS (or `dot`).
-
> Do I need to leave the "tls-win-cert: yes" in place?
No, apparently it is only an alias for tls-system-cert after all but there is a bug somewhere because it ignores the system directory location, which I haven't seen before. Things like this were tested to death in the last month in fetch, pkg and syslog-ng and they all worked as documented in OpenSSL.
Cheers,
Franco