Messages

I tried just one server of Quad9 as well.  Also tried other DNS providers.  Decided to give IPFire a shot as I needed to start over from scratch,and it has been awhile, which does say great things about OPNSense, just decided to try something different for a bit.  Thanks again to all for the assistance, see you back sometime.

Given it maybe a certificate issue, I will scrub the drive and reinstall.  Thanks to all for the assistance!

I don't think so...

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G3 TLS ECC SHA384 2020 CA1
verify return:1
depth=0 C = CH, ST = Zurich, L = Zurich, O = Quad9, CN = dns.quad9.net
verify return:1
---
Certificate chain
0 s:C = CH, ST = Zurich, L = Zurich, O = Quad9, CN = dns.quad9.net
   i:C = US, O = DigiCert Inc, CN = DigiCert Global G3 TLS ECC SHA384 2020 CA1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jul 17 00:00:00 2024 GMT; NotAfter: Jul 16 23:59:59 2025 GMT
1 s:C = US, O = DigiCert Inc, CN = DigiCert Global G3 TLS ECC SHA384 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Apr 14 00:00:00 2021 GMT; NotAfter: Apr 13 23:59:59 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHzzCCB1SgAwIBAgIQBBnWyhHgw5zKXJpekiQtkTAKBggqhkjOPQQDAzBZMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdp
Q2VydCBHbG9iYWwgRzMgVExTIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjQwNzE3
MDAwMDAwWhcNMjUwNzE2MjM1OTU5WjBXMQswCQYDVQQGEwJDSDEPMA0GA1UECBMG
WnVyaWNoMQ8wDQYDVQQHEwZadXJpY2gxDjAMBgNVBAoTBVF1YWQ5MRYwFAYDVQQD
Ew1kbnMucXVhZDkubmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHS9/A9uo
8RaaOnVagQbRQPT8PMKdgD2JpTwW4olcwggo7KnvZb2NEJszVxMM9SbfYmWzTCRU
/qwdFBbpOBkXeKOCBf4wggX6MB8GA1UdIwQYMBaAFIoj655r1/k3XfltITl2mqFn
3hCoMB0GA1UdDgQWBBTlfUHsSeB6i0VXayGzIb3LOxlPbjCCAooGA1UdEQSCAoEw
ggJ9gg1kbnMucXVhZDkubmV0ghNkbnMtbm9zZWMucXVhZDkubmV0ghNkb2gtYnJh
dmUucXVhZDkubmV0ghZkbnMucmVzb2x2ZXIucXVhZDkubmV0ghNhbHBoYS1kbnMu
cXVhZDkubmV0ghJiZXRhLWRucy5xdWFkOS5uZXSCDmRuczkucXVhZDkubmV0gg9k
bnMxMC5xdWFkOS5uZXSCD2RuczExLnF1YWQ5Lm5ldIIPZG5zMTIucXVhZDkubmV0
gg9kbnMxMy5xdWFkOS5uZXSCD2RuczE0LnF1YWQ5Lm5ldIIPZG5zMTUucXVhZDku
bmV0ghBkbnMyNTQucXVhZDkubmV0ghFtb3ppbGxhLnF1YWQ5Lm5ldIcECQkJCYcE
CQkJCocECQkJC4cECQkJDIcECQkJDYcECQkJDocECQkJD4cElXBwCYcElXBwCocE
lXBwC4cElXBwDIcElXBwDYcElXBwDocElXBwD4cElXBwcIcQJiAA/gAAAAAAAAAA
AAAA/ocQJiAA/gAAAAAAAAAAAAAACYcQJiAA/gAAAAAAAAAAAAAAEIcQJiAA/gAA
AAAAAAAAAAAAEYcQJiAA/gAAAAAAAAAAAAAAEocQJiAA/gAAAAAAAAAAAAAAE4cQ
JiAA/gAAAAAAAAAAAAAAFIcQJiAA/gAAAAAAAAAAAAAAFYcQJiAA/gAAAAAAAAAA
AP4ACYcQJiAA/gAAAAAAAAAAAP4AEIcQJiAA/gAAAAAAAAAAAP4AEYcQJiAA/gAA
AAAAAAAAAP4AEocQJiAA/gAAAAAAAAAAAP4AE4cQJiAA/gAAAAAAAAAAAP4AFIcQ
JiAA/gAAAAAAAAAAAP4AFTA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUF
BwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgOI
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBnwYDVR0fBIGXMIGUMEig
RqBEhkJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHM1RM
U0VDQ1NIQTM4NDIwMjBDQTEtMi5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0LmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEczVExTRUNDU0hBMzg0MjAyMENBMS0yLmNy
bDCBhwYIKwYBBQUHAQEEezB5MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wUQYIKwYBBQUHMAKGRWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9EaWdpQ2VydEdsb2JhbEczVExTRUNDU0hBMzg0MjAyMENBMS0yLmNydDAMBgNV
HRMBAf8EAjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgAS8U40vVNyTIQG
GcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAAAZDBgPPmAAAEAwBHMEUCIQCFAt7DtP7G
lzx1LiBAS/rqbu8d8cVLkrPN+6Q5AIy4QgIgSZj0NWqKU7x5h9Qs5NyBNEIYSREI
P6OWICpWWGAq0RcAdgB9WR4S4XgqexxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55uAAA
AZDBgPPjAAAEAwBHMEUCIQCRO0OuLSJ+duThEJZmCFpuE51c4UUyRpHucg1KtGj3
tgIgfyGM79OjDqH87OzCN/cAd96he3OA0A5/twT7xMtLdn0AdwDm0jFjQHeMwRBB
Btdxuc7B0kD2loSG+7qHMh39HjeOUAAAAZDBgPPtAAAEAwBIMEYCIQC+/HxmsLPE
0tmEOWbrzDH2EjDm//MtP/wPjbe+OkvpiwIhAK1htztI7x5tnTf0QJ3J5zwZJBkZ
R/YQUR9qCfnWA4CqMAoGCCqGSM49BAMDA2kAMGYCMQDSQm4wWeUwG6TQQzs1n0P1
gVqnhZy0lHRRwZ+wvIdoNYhCB52ZEqFLHSiBIbQ0QUACMQCMk8pKlRxHgCfkOdz4
n2OoZQJBzZZL08UO2FbLf+IoCHpOdngPrmHt/hKo8YSUMDg=
-----END CERTIFICATE-----
subject=C = CH, ST = Zurich, L = Zurich, O = Quad9, CN = dns.quad9.net
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G3 TLS ECC SHA384 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3271 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 812C87A07C8B24011BE622AED9DA212E6553DFDF99E5845A51F93FA89A2C85C0
    Session-ID-ctx:
    Resumption PSK: 5A5B534B7545D9EB4740EC808A296410DB5E44E79459982BD6BC486C604C825477DF9A9100D1F5C91F37FD4BC1DC0C99
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 45 67 f2 f8 42 c5 8b e0-f1 e2 79 51 9c d6 2c 54   Eg..B.....yQ..,T
    0010 - 72 d8 2d 96 b4 17 56 94-0a 23 8a 73 63 3d d2 2d   r.-...V..#.sc=.-
    0020 - 29 a1 b5 1d 40 a0 04 53-3d 24 70 f0 41 29 ab ce   )...@..S=$p.A)..
    0030 - 4c 20 ca 0f 05 3e f1 3e-94 34 74 3e 61 0c 86 8b   L ...>.>.4t>a...
    0040 - 45 59 5c 9f d8 c4 2c 94-d7 0e e8 e3 dc 67 a5 70   EY\...,......g.p
    0050 - c4 c9 06 f1 64 c3 bc 22-68 3d a1 74 b4 ef 32 d0   ....d.."h=.t..2.
    0060 - 20 8a f9 08 f9 ce 2f fe-3c 04 07 70 46 8d 2e 91    ...../.<..pF...
    0070 - 72 5b d7 90 cb 1e 96 b7-bd 00 64 7a e2 e8 83 f0   r[........dz....
    0080 - c5 a7 59 51 76 b6 fe 53-9b c0 10 0a c1 11 0e 8b   ..YQv..S........
    0090 - cc f5 60 d2 8b ae 0e 90-8d 14 bd d8 45 e8 37 42   ..`.........E.7B
    00a0 - ae 5e c5 78 18 a9 17 83-01 64 77 5c 02 f4 16 e0   .^.x.....dw\....
    00b0 - 2e 21 09 a5 8a 3a c4 3e-95 67 59 e0 48 1b 61 09   .!...:.>.gY.H.a.

    Start Time: 1732297173
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0F0CB8FB01CA3BC29AB7E43BE6A28B46560E2981C09698C3DFDEF049AEC6392B
    Session-ID-ctx:
    Resumption PSK: A6FD458C139924F01D83E521136022B908B7AC1B4C1CDDB7F4DDA8BF0CB19970B45436A8FB4FF27FD1FB8AD4ED197F89
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 45 67 f2 f8 42 c5 8b e0-f1 e2 79 51 9c d6 2c 54   Eg..B.....yQ..,T
    0010 - 4f da cb 1e 73 8d ab f3-7b d8 75 ba aa be d3 c3   O...s...{.u.....
    0020 - ba f8 ae 47 91 85 2a 49-d5 ba 81 46 b5 0e 0e 37   ...G..*I...F...7
    0030 - 44 76 f1 89 69 0d 73 d2-d0 44 2b 86 3a 24 f6 6c   Dv..i.s..D+.:$.l
    0040 - b0 84 f6 b9 42 45 d6 7f-dd 38 9e 58 fc c8 25 15   ....BE...8.X..%.
    0050 - 43 4f 3c e9 90 08 97 82-00 c4 c6 98 1b 02 d5 6b   CO<............k
    0060 - 60 df 54 92 51 eb ea 85-d6 55 99 79 4a 8d 34 64   `.T.Q....U.yJ.4d
    0070 - c9 3c 26 12 7b bc bc a4-20 d9 d9 f4 9d 4a f1 7c   .<&.{... ....J.|
    0080 - d4 60 68 d9 5b 51 62 c8-61 fa 40 0c 05 c6 e5 d5   .`h.[Qb.a.@.....
    0090 - b3 58 d6 2b 75 ec a3 44-ca 1e 8c 12 2e ca 51 0d   .X.+u..D......Q.
    00a0 - 54 62 8e 60 38 e2 f7 e2-b9 6f 17 cc 71 58 cd 98   Tb.`8....o..qX..
    00b0 - 2d 44 68 f4 8f 95 61 5c-8a 08 47 08 89 c9 cd 30   -Dh...a\..G....0

    Start Time: 1732297173
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Ran the pkg install and it showed reinstalling unbound-1.22.0_1.  Reinstall completed without conflict.  Rebooted and then enabled DoT, and still does not work.  Thank you for the troubleshooting assistance.

Here is the log data for this attempt:

2024-11-21T20:21:09-05:00   Informational   unbound   [37225:16] info: 10.0.0.42 linuxconfig.org. HTTPS IN   
2024-11-21T20:21:09-05:00   Informational   unbound   [37225:16] info: 10.0.0.42 linuxconfig.org. HTTPS IN   
2024-11-21T20:21:09-05:00   Notice   unbound   [37225:16] notice: ssl handshake failed 9.9.9.9 port 853   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: ssl handshake cert error: unable to get local issuer certificate   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: and additionally crypto error:0A000086:SSL routines::certificate verify failed   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: and additionally crypto error:16000069:STORE routines::unregistered scheme   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: and additionally crypto error:16000069:STORE routines::unregistered scheme   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-21T20:21:09-05:00   Error   unbound   [37225:16] error: ssl handshake failed crypto error:16000069:STORE routines::unregistered scheme

This is a new install on bare metal.  I had the previous version running without issue until this latest upgrade.  Here are the contents of the DoT:

Custom forwarding
          9.9.9.9                   853   dns.quad9.net   Quad9 Primary IPV4   
          149.112.112.112   853   dns.quad9.net   Quad9 Alternate IPV4   

Domain in blank
Not running IPV6
   

Thank you for the reply and recommendation.  Ran and rebooted.  However, still no DNS over TLS. Log from latest attempt.

2024-11-21T13:24:15-05:00   Informational   unbound   [40958:d] info: 10.0.0.216 lechmere-v1.sslauth.sonos.com.phantom.net. A IN   
2024-11-21T13:24:15-05:00   Informational   unbound   [40958:11] info: resolving lechmere-v1.sslauth.sonos.com.phantom.net. A IN   
2024-11-21T13:24:15-05:00   Informational   unbound   [40958:11] info: 10.0.0.216 lechmere-v1.sslauth.sonos.com.phantom.net. A IN   
2024-11-21T13:24:15-05:00   Informational   unbound   [40958:5] info: 10.0.0.216 lechmere-v1.sslauth.sonos.com. A IN   
2024-11-21T13:24:15-05:00   Informational   unbound   [40958:12] info: resolving lechmere-v1.sslauth.sonos.com. A IN   
2024-11-21T13:24:15-05:00   Informational   unbound   [40958:12] info: 10.0.0.216 lechmere-v1.sslauth.sonos.com. A IN   
2024-11-21T13:24:14-05:00   Notice   unbound   [40958:14] notice: ssl handshake failed 9.9.9.9 port 853   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: ssl handshake cert error: unable to get local issuer certificate   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:0A000086:SSL routines::certificate verify failed   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:16000069:STORE routines::unregistered scheme   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:16000069:STORE routines::unregistered scheme   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: ssl handshake failed crypto error:16000069:STORE routines::unregistered scheme   
2024-11-21T13:24:14-05:00   Notice   unbound   [40958:14] notice: ssl handshake failed 9.9.9.9 port 853   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: ssl handshake cert error: unable to get local issuer certificate   
2024-11-21T13:24:14-05:00   Error   unbound   [40958:14] error: and additionally crypto error:0A000086:SSL routines::certificate verify failed

/usr/local/etc/unbound/root.key does not exist
debug cert update forced
last successful probe: Wed Nov 20 21:33:29 2024
the last successful probe is recent
/usr/local/etc/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
resolved server address 152.199.24.38
resolved server address 2606:2800:21f:b505:516b:4186:98cd:116
connect to 152.199.24.38
fetched root-anchors/root-anchors.xml (1861 bytes)
connect to 152.199.24.38
fetched root-anchors/root-anchors.p7s (2523 bytes)
signer 0: Subject: /O=ICANN/CN=DNSSEC Trust Anchor Verification/emailAddress=dnssec@iana.org
the PKCS7 signature verified
XML was parsed successfully, 2 keys
success: the anchor has been updated using the cert

After the 11/2024 update, cannot use DNS Over TLS.  Using Quad9 and IPV4 only.  Worked fine before update.  No access to Internet if turned on.  If turned off, access is fine.  Here are the errors from the DNS/TLS log:

2024-11-20T17:26:26-05:00   Error   unbound   [95068:5] error: ssl handshake cert error: unable to get local issuer certificate   
2024-11-20T17:26:26-05:00   Error   unbound   [95068:5] error: and additionally crypto error:0A000086:SSL routines::certificate verify failed   
2024-11-20T17:26:26-05:00   Error   unbound   [95068:5] error: and additionally crypto error:80000002:system library::No such file or directory   
2024-11-20T17:26:26-05:00   Error   unbound   [95068:5] error: and additionally crypto error:16000069:STORE routines::unregistered scheme

So temp monitoring works for AMD newer CPUs if you do the new install with kernel 4.1.  However, on my 7900X it shows Cores 0 and 1 twice.  O and 1 are at the top of the cue, and then if you scroll down, the are also the last two in the cue.  The 2nd reading is not only duplicative in this case, but also incorrect. Would also note that in the new dashboard the same info is shown in the same order, with the color bar for the repeated two CPUs as red.

49.2 °CCore 0 (dev.cpu.0.temperature)
49.2 °CCore 1 (dev.cpu.1.temperature)
49.2 °CCore 10 (dev.cpu.10.temperature)
49.2 °CCore 11 (dev.cpu.11.temperature)
49.2 °CCore 12 (dev.cpu.12.temperature)
49.2 °CCore 13 (dev.cpu.13.temperature)
49.2 °CCore 14 (dev.cpu.14.temperature)
49.2 °CCore 15 (dev.cpu.15.temperature)
49.2 °CCore 16 (dev.cpu.16.temperature)
49.2 °CCore 17 (dev.cpu.17.temperature)
49.2 °CCore 18 (dev.cpu.18.temperature)
49.2 °CCore 19 (dev.cpu.19.temperature)
49.2 °CCore 2 (dev.cpu.2.temperature)
49.2 °CCore 20 (dev.cpu.20.temperature)
49.2 °CCore 21 (dev.cpu.21.temperature)
49.2 °CCore 22 (dev.cpu.22.temperature)
49.2 °CCore 23 (dev.cpu.23.temperature)
49.2 °CCore 3 (dev.cpu.3.temperature)
49.2 °CCore 4 (dev.cpu.4.temperature)
49.2 °CCore 5 (dev.cpu.5.temperature)
49.2 °CCore 6 (dev.cpu.6.temperature)
49.2 °CCore 7 (dev.cpu.7.temperature)
49.2 °CCore 8 (dev.cpu.8.temperature)
49.2 °CCore 9 (dev.cpu.9.temperature)
80000 °CCore 0 (dev.mce.0.hw_temperature)
80000 °C

Any chance the new kernel now supports Ryzen 9 CPU temp monitoring?

I was LAN only with Zenarmor as well.  Use CROWDSEC and SURICATA for WAN.

SY,

  I tried a Zenarmor reset as that was the only thing working in the Zenarmor menu.  The reset seemed to work initially up to selecting a database type.  I noticed there is now an Elastic 5 and 8 version database you can choose.  I tried the version 8, and the installer said to make sure the Zenarmor cloud agent was connected.  So after running that routine twice with no joy, I decided to uninstall from the Opnsense package manager and then reinstall.  The reinstall failed as no Zenarmor entry was set in the Opnsense menu.  So I have just uninstalled again and will leave it for a bit until the next Opnsense update.  I am on the dev firmware so understand these things will happen.

Cheers!

I have the same problem :(

I am on the developer release, so suspect there might be some differences as the business release might actually be newer in some cases at this point. 

So I have a question about the DNS settings for KEA, but I have to start with ISC DHCPv4 to get to the question.  When using ISC DHCPv4 under the LAN settings you don't list your DNS servers if you are going to use DNS over TLS under UNBOUND.

So I thought the parallel might be true if using KEA as KEA also has a DNS Subnet section.  So when I setup KEA initially, I added a DNS under the subnet entry as I did not want to chance wrecking my network access.  That seems to have worked fine, but it bugged me that KEA settings were a bit different so I took a chance and removed the DNS setting under KEA.  Everything worked fine, both wired and wireless.  Woke up this morning to find wireless access had quit working, but wired was just fine, so I went back into the KEA subnet setting and re=added the DNS entry.  Wireless network came back up. 

Not sure what is truly happening where I get wired but not wired DNS in this situation.  Also makes me wonder if DNS over TLS is actually functioning given the settings between ISC DHCPv4 and KEA are not parallel in this sense.

I do have my switches set to DHCP, but use the KEA reservations to give them each a specific IP address.  I have done the same thing with the wireless access ports too.

So what happened to KEA DHCP when I made the change to remove my DHCP IP address from the KEA Subnet setting, which in this case is the router IP?