Unbound DNS not starting

[arun54321]

I tried to start it manually from shell to see error messages. I get this.

Code: [Select]

root@OPNsense:~ # unbound -c /var/unbound/unbound.conf
[1726588625] unbound[11489:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
[1726588625] unbound[11489:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0480006C:PEM routines::no start line
[1726588625] unbound[11489:0] error: and additionally crypto error:0A080009:SSL routines::PEM lib
[1726588625] unbound[11489:0] fatal error: could not set up remote-control
root@OPNsense:~ #


[cookiemonster]

default enable of Unbound from UI takes care of all requirements.
What have you done in and out of the UI ?

[dseven]

Sounds like file corruption of some sort to me. If you can login, either on the console or with ssh, start a shell (option `8`) and run `cat /var/unbound/unbound_server.pem`, the result (contents) might reveal something.

I wonder if you might have a full filesystem or something....

[newsense]

Most likely looking at the certificate would throw some error based on the previous output. Check the certificate with openssl

Code: [Select]

root@OPNsense:~ # openssl x509 -in /var/unbound//unbound_server.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2c:39:47:1a:e1:2b:ee:9a:ee:8c:2b:05:d4:75:ed:a0:4e:68:cf:07
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = unbound
        Validity
            Not Before: Oct 30 16:46:15 2023 GMT
            Not After : Jul 17 16:46:15 2043 GMT
        Subject: CN = unbound
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:d7:5b:e1:fb:55:09:11:d7:f4:95:ce:80:c6:8f:
                    0e:db:10:2b:8a:64:bf:33:84:be:4c:2b:dd:63:94:
                    31:f8:45:98:3d:84:d8:7a:64:bb:e8:36:35:b6:67:
                    a4:a8:c4:80:d2:1c:6f:ea:20:a8:eb:57:46:dd:a2:
                    84:f8:27:6a:89:8b:ee:01:1a:37:a8:0a:32:48:ed:
                    94:76:e4:8e:c0:fb:70:c5:26:ab:26:c8:9f:d1:e8:
                    18:cf:9f:f7:d5:11:df:20:12:e3:91:4a:34:54:b6:
                    26:31:14:66:3b:b5:90:d8:c9:e7:6f:11:4e:05:77:
                    7a:a5:1b:49:8f:90:82:0b:9d:c9:4d:8f:fd:a6:dc:
                    94:61:66:37:a7:89:b9:3e:f6:2b:63:f0:6f:e8:a5:
                    19:2e:cd:5c:dd:a2:1e:c9:fc:08:0e:89:83:1a:65:
                    a6:db:6f:e8:c1:4a:2c:3b:d5:a5:c5:2a:fb:e8:84:
                    9e:8f:f9:b0:71:f9:27:1d:8c:5a:7d:e6:cb:bb:d8:
                    bd:16:a2:83:ea:90:37:5d:86:71:0b:38:5a:83:98:
                    79:49:46:0b:c4:cf:2c:18:3b:a4:94:e0:42:16:c2:
                    67:99:81:7f:de:33:91:cc:b0:60:ca:a9:d1:aa:d0:
                    d1:bb:cc:57:ca:ce:8a:4b:9b:08:1e:78:2a:d3:0f:
                    43:76:97:e5:13:6d:e6:d8:10:51:b4:4e:eb:2f:18:
                    5f:ec:a8:4b:1f:c5:e9:4d:39:ab:9d:3e:76:37:b6:
                    75:9e:3e:74:e1:10:19:74:c2:cb:f7:c6:ef:e4:61:
                    0f:56:5f:2b:df:b1:05:d4:a3:93:ed:0e:81:37:6d:
                    a3:27:4a:91:03:3e:68:d5:31:ee:69:7d:fa:ed:f9:
                    bb:b9:eb:25:58:9f:23:54:49:9b:58:f3:74:eb:22:
                    fa:44:5a:86:48:cb:50:17:64:43:90:61:02:c6:f9:
                    f9:09:bb:51:9c:43:b5:81:71:8c:ba:ad:d4:5d:13:
                    73:6d:59:54:11:9b:9f:86:ab:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                67:77:20:80:9E:15:70:36:1A:89:BC:90:DF:B6:AC:E1:D0:22:35:47
            X509v3 Authority Key Identifier:
                keyid:67:77:20:80:9E:15:70:36:1A:89:BC:90:DF:B6:AC:E1:D0:22:35:47
                DirName:/CN=unbound
                serial:2C:39:47:1A:E1:2B:EE:9A:EE:8C:2B:05:D4:75:ED:A0:4E:68:CF:07
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Alternative Name:
                DNS:unbound
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3f:03:65:46:b3:7f:97:ff:fb:1a:da:9d:fc:76:87:bd:21:44:
        9f:af:d3:a9:63:34:64:3a:2d:97:4a:09:fc:8e:a8:e9:bc:9a:
        a6:96:08:74:ac:f2:7c:92:a1:52:de:54:43:bd:57:56:1b:c9:
        38:14:e3:bf:36:37:5a:a0:51:4a:9f:d0:0d:0a:51:43:37:56:
        fd:55:de:dd:ff:27:c5:f4:37:4e:db:05:ce:d6:50:54:96:6d:
        b9:44:a7:1e:50:9c:7f:2f:24:dc:2b:bc:14:4d:79:df:8b:99:
        da:c9:61:31:10:06:c0:6c:35:58:f4:eb:f6:89:6c:c7:16:97:
        40:b5:06:cc:61:4f:83:e3:74:60:14:48:64:44:04:14:b2:31:
        71:0f:4b:a4:2b:21:53:90:ea:57:a4:b4:a4:96:26:66:75:4c:
        2e:07:5b:7d:06:ba:27:74:ef:24:fe:a9:ea:31:38:07:a4:d6:
        36:ad:61:6e:32:01:55:4e:27:0a:de:1a:57:3d:ef:17:3c:4a:


root@OPNsense:~ # sha256sum /var/unbound/unbound_server.pem
2f4f3e9d29855dc6a33d1958962bcbb43970e64377ed7bcd166607cdc5551e21  /var/unbound/unbound_server.pem
If you don't get the output above there are two options:

1)You can try reinstalling unbound

Code: [Select]

# pkg install -f unbound

2) If the previous step fails you can simply replace the contents of the file with the certificate. Make sure to not miss any -

Code: [Select]

root@OPNsense:~ # cat /var/unbound/unbound_server.pem

-----BEGIN CERTIFICATE-----
MIIETDCCArSgAwIBAgIULDlHGuEr7prujCsF1HXtoE5ozwcwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHdW5ib3VuZDAeFw0yMzEwMzAxNjQ2MTVaFw00MzA3MTcx
NjQ2MTVaMBIxEDAOBgNVBAMMB3VuYm91bmQwggGiMA0GCSqGSIb3DQEBAQUAA4IB
jwAwggGKAoIBgQDXW+H7VQkR1/SVzoDGjw7bECuKZL8zhL5MK91jlDH4RZg9hNh6
ZLvoNjW2Z6SoxIDSHG/qIKjrV0bdooT4J2qJi+4BGjeoCjJI7ZR25I7A+3DFJqsm
yJ/R6BjPn/fVEd8gEuORSjRUtiYxFGY7tZDYyedvEU4Fd3qlG0mPkIILnclNj/2m
3JRhZjenibk+9itj8G/opRkuzVzdoh7J/AgOiYMaZabbb+jBSiw71aXFKvvohJ6P
+bBx+ScdjFp95su72L0WooPqkDddhnELOFqDmHlJRgvEzywYO6SU4EIWwmeZgX/e
M5HMsGDKqdGq0NG7zFfKzopLmwgeeCrTD0N2l+UTbebYEFG0TusvGF/sqEsfxelN
OaudPnY3tnWePnThEBl0wsv3xu/kYQ9WXyvfsQXUo5PtDoE3baMnSpEDPmjVMe5p
ffrt+bu56yVYnyNUSZtY83TrIvpEWoZIy1AXZEOQYQLG+fkJu1GcQ7WBcYy6rdRd
E3NtWVQRm5+Gq00CAwEAAaOBmTCBljAdBgNVHQ4EFgQUZ3cggJ4VcDYaibyQ37as
4dAiNUcwTQYDVR0jBEYwRIAUZ3cggJ4VcDYaibyQ37as4dAiNUehFqQUMBIxEDAO
BgNVBAMMB3VuYm91bmSCFCw5RxrhK+6a7owrBdR17aBOaM8HMBIGA1UdEwEB/wQI
MAYBAf8CAQAwEgYDVR0RBAswCYIHdW5ib3VuZDANBgkqhkiG9w0BAQsFAAOCAYEA
PwNlRrN/l//7Gtqd/HaHvSFEn6/TqWM0ZDotl0oJ/I6o6byappYIdKzyfJKhUt5U
Q71XVhvJOBTjvzY3WqBRSp/QDQpRQzdW/VXe3f8nxfQ3TtsFztZQVJZtuUSnHlCc
fy8k3Cu8FE1534uZ2slhMRAGwGw1WPTr9olsxxaXQLUGzGFPg+N0YBRIZEQEFLIx
cQ9LpCshU5DqV6S0pJYmZnVMLgdbfQa6J3TvJP6p6jE4B6TWNq1hbjIBVU4nCt4a
Vz3vFzxKnyp5ClUQWe6qTkqojkGcsKiEaMBzABz8ncE6GFAfM4k7ixmz6gA7lwHg
1HBfob/xMK3Z0/8RQNNCkgsVkSBf+UKYk3xQhCsGumHeZ6iJkqIDrwi7EdsAjRI9
wrmaHP/DuAk8VMKdP7oqoc/ZjJQTHiqU6e+Ttk34AodHkEjPM4DUFFgqbehQHboh
4nokCVOIzSSfOVGWAkx7OY+y3W15tQFhNBFhdsqexX6ZVeASAS0TAC+mOJqdxq/q
-----END CERTIFICATE-----

root@OPNsense:~ #


[Stitch10925]

Maybe a stupid question, but do you have enough disk space left? Unbound doesn't like it when there is no space left.