Referencing AcmeClient Certificates from config files

Started by excavator fidelity, November 02, 2025, 06:33:41 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 02, 2025, 11:36:53 PM #15
This is /var/unbound/unbound.conf:

Code Select
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python iterator"
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8




# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf



python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem

And here's /var/unbound/etc/extra_config.conf:

Code Select
server:
  # Listen on the second loopback interface
  # DNS-over-TLS
  interface: fd53:5353:0000::1@853
  interface: 192.168.0.1@853

  tls-port: 853

  # Let's Encrypt certificate
  tls-service-key: "/var/etc/acme-client/keys/abcd.1234/private.key"
  tls-service-pem: "/var/etc/acme-client/certs/abcd.1234/fullchain.pem"

The acme files exist, the addresses are listed in ifconfig, and I watched my Firewall logs and can confirm my Pass rule works.
I tried renaming the file to start with `00-` and to start with `zz-`.
No matter what, I still have the output of ` sockstat -l | grep unbound` only show listeners on `*:53` (and the local control port `:953`).
November 02, 2025, 11:50:25 PM #16
The only significant difference seems to by that I selected a single interface in "Services: Unbound DNS: General: Network Interfaces" (lo1, which I also use for DoT / DoH).

This is how that looks like in /var/unbound/unbound.conf:

Code Select
# Interface IP(s) to bind to
interface: 127.0.0.1
interface: ::1
interface: fe80::1%lo0
interface: fe80::1%lo1
interface: 2001:db8:1:53::1

Maybe binding to 0.0.0.0 / :: prevents Unbound from additionally binding to specific addresses for DoT? Worth a try to select only specific interfaces.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
November 02, 2025, 11:54:28 PM #17
THANK YOU! That worked!

I have no clue why unbound works like that, but thanks for helping me work though this issue.
November 02, 2025, 11:58:47 PM #18
Phew, glad it works! I wouldn't even rule out that the reason why I selected a single interface was this exact issue... This was years ago so I really don't remember.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages 1 2
User actions