24.7.10 Unbound DNS: DNS over TLS NOK? -> OK with 24.7.10_1

[longtom]

My Unbound DNS over TLS is NOK with 24.7.10.
When i disable DNS over TLS it is OK again.

Edit: With todays version 24.7.10!

[branbon]

Also seeing similar issue with DNS over TLS. I had no System DNS servers set & was relying on Unbound to handle the resolution. (Adding a System DNS server remedied the issue for me for now)

Sample Unbound log:

Code Select Expand

2024-12-03T08:51:22-05:00 Notice unbound [57387:1] notice: ssl handshake failed 1.1.1.1 port 853
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: ssl handshake cert error: unable to get local issuer certificate
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:0A000086:SSL routines::certificate verify failed
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:80000002:system library::No such file or directory
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:16000069:STORE routines::unregistered scheme
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:80000002:system library::No such file or directory
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:16000069:STORE routines::unregistered scheme
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: and additionally crypto error:80000002:system library::No such file or directory
2024-12-03T08:51:22-05:00 Error unbound [57387:1] error: ssl handshake failed crypto error:16000069:STORE routines::unregistered scheme

NTP was also unable to synchronize due to failed DNS lookups.

[FullyBorked]

Yup, add me to the list as well.  Took me a bit to figure out why DNS was borked after the update.  Disabling DNS over TLS resolves it.

[dsh1705]

I am seeing the same behavior.

[yuusou]

Just posted on the other thread with the same issue.

[KHE]

From the release notes:
o system: remove the SSL bundles in default locations

Is this unbound still using these SSL bundles?

[franco]

Looks like an Unbound bug to me:

# opnsense-patch https://github.com/opnsense/core/commit/cdb8da72661

Patch, apply Unbound settings, test again. I can hotfix and see what fix upstream needs here.


Cheers,
Franco

[franco]

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

[jphylips]

Hi Franco,

The patch seems to work from my end.

Thanks a lot.

[yuusou]

How can I apply the patch and restart the service without overwriting the configuration? pluginctl overwrited dot.conf. *BSD is not my strong suit.

EDIT:
nevermind, realized opnsense uses template files after using my eyes and looking at the repo properly. All fixed now. Thank you!

[gac]

Patch works for me.

[franco]

How can I apply the patch and restart the service without overwriting the configuration? pluginctl overwrited dot.conf. *BSD is not my strong suit.

Just run the "opnsense-patch URL" command in the shell. It will do everything except hit apply for you.

[FullyBorked]

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else? 

[gac]

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?

They would be in /var/unbound/etc/dot.conf

[franco]

No, /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf otherwise it will be overwritten on apply.