24.7.10 Unbound DNS: DNS over TLS NOK? -> OK with 24.7.10_1

Started by longtom, December 03, 2024, 02:32:42 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 03, 2024, 04:02:03 PM #15
Quote from: gac on December 03, 2024, 03:59:08 PM
Quote from: FullyBorked on December 03, 2024, 03:57:47 PM
Quote from: franco on December 03, 2024, 03:47:04 PM
Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?
They would be in /var/unbound/etc/dot.conf

Hmm, ok the link he quoted mentioned the unbound.conf.  My dot.conf file other than a single forwarding zone is empty. 
December 03, 2024, 04:03:27 PM #16
24.7.10_1 is now live...
December 03, 2024, 04:04:23 PM #17
Quote from: franco on December 03, 2024, 04:00:52 PM
No, /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf otherwise it will be overwritten on apply.

Thanks, mine is currently un-patched, I show " tls-system-cert: yes". 
December 03, 2024, 04:08:02 PM #18
> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".

Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?

If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.


Cheers,
Franco
December 03, 2024, 04:11:13 PM #19
Thanks a lot for the quick patch!  :)
December 03, 2024, 04:14:42 PM #20
Quote from: franco on December 03, 2024, 04:08:02 PM
> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".

Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?

If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.


Cheers,
Franco

Adding "tls-win-cert" in the line below didn't fix it.  But replacing "tls-system-cert: yes" with "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" did restore functionality. 

Do I need to leave the "tls-win-cert: yes" in place? 
December 03, 2024, 04:15:27 PM #21
24.7.10_1 works fine for me. Thank you :)
December 03, 2024, 04:20:08 PM #22
Quote from: FullyBorked on December 03, 2024, 04:02:03 PM
Quote from: gac on December 03, 2024, 03:59:08 PM
Quote from: FullyBorked on December 03, 2024, 03:57:47 PM
Quote from: franco on December 03, 2024, 03:47:04 PM
Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?
They would be in /var/unbound/etc/dot.conf

Hmm, ok the link he quoted mentioned the unbound.conf.  My dot.conf file other than a single forwarding zone is empty.
The documentation for `unbound.conf` just shows every available option - Unbound is one of the (sensible) apps which allows for options to be spread across multiple configuration files, for example some provided by a package manager (eligible for overwriting) and some manually (which should not be overwritten). Or separated out by purpose/feature.

So `/var/unbound/etc/dot.conf` will contain a rendered config file with the configuration entries from the `unbound.conf` man page, which are relevant for DNS-over-TLS (or `dot`).
December 03, 2024, 04:46:37 PM #23
> Do I need to leave the "tls-win-cert: yes" in place?

No, apparently it is only an alias for tls-system-cert after all but there is a bug somewhere because it ignores the system directory location, which I haven't seen before. Things like this were tested to death in the last month in fetch, pkg and syslog-ng and they all worked as documented in OpenSSL.


Cheers,
Franco
Print
Go Up Pages 1 2
User actions