24.03 servicewatchdog_cron unbound certificate no such file (service won't start)

4o4rh

Hi guys,
After upgrading i am getting the below error

servicewatchdog_cron.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1714018381] unbound[62681:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1714018381] unbound[62681:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:80000002:system library::No such file or directory [1714018381] unbound[62681:0] error: and additionally crypto error:10080002:BIO routines::system lib [1714018381] unbound[62681:0] error: and additionally crypto error:0A080002:SSL routines::system lib [1714018381] unbound[62681:0] fatal error: could not set up remote-control'

and also a warning that

"Boot verification failed for default. Netgate pfSense Plus was automatically rebooted back into default_20240424230250. @ 2024-04-25 00:23:35"

Gertjan

@4o4rh said in 24.03 servicewatchdog_cron unbound certificate no such file (service won't start):

servicewatchdog_cron.php:

Simply put : the service watchdog package has no brains.
It's like the guy that has a heart defibrillator in it's pocket, and sees someone lying on the street, not moving, and clearly in agony.
Our guy doesn't think, gets out the manual, apply the electric-patches, arms the defibrillator and activates a 'shock'.
Our guy never noticed that medics were already occupied with our person on the ground, and that the shouldn't have done what he just did.
The result was : one person and several medics electrocuted. More medics are needed now.

More to the point :
The "service watchdog package" is a package that was meant to be used by a pfsense software developer.
During my last 10+ years of pfSense & unbound usage : I never found my 'unbound' in a not running state (except when I was messing around, but I know what I do, and can undo what I've done).
If unbound stops, the reason why it stopped should be found, and resolved.
pfSense itself can, under circumstances like : the admin changed a setting, or an interface went down (why ?) and the unbound gets restarted. If this took some time, and thus the "service watchdog package" kicks in, while unbound was already in a OS generated restarting sequence, everything has been setup to create a perfect mess. The result is classic, "DNS" will be out of order.

And you just discovered a new effect : as pfSense thinks the system didn't rebooted ok, you found this :

"Boot verification failed for default. Netgate pfSense Plus was automatically rebooted back

My advise : get rid of this "service watchdog package".
Or, at least, do what you have to, but don't bother unbound with it.

unbound still fails on you :
Tell us about your pfSense / hardware / settings and I'm sure we'll figure it out.

stephenw10

Yes try disabling the watchdog for Unbound and then try to upgrade again.

4o4rh

@stephenw10 disabling/removing the watchdog didn't work. It seems I made the mistake of not removing pfblockerng and specifically suricata before i upgraded. when i subsequently removed both packages, the suricata still showed in the installed packages with a red exclamation mark. When I try to reinstall it though, it gets stuck on "installing snort rules", however, if you open a new window and check the status on suricata it shows the rules having been successfully updated

stephenw10

So it did upgrade successfully with those packages removed?

4o4rh

@stephenw10 still having some issues getting wireguard to start, pfblocker and suricata. but definitely should have removed them before the upgrade i think

stephenw10

I wouldn't expect to need to but it will take a lot longer to upgrade with them in place.

4o4rh

@stephenw10 looks like may actually be issue with pfblockerng in the new build
ERROR: Type: 1, File: /usr/local/www/pfblockerng/pfblockerng_category_edit.php, Line: 391, Message: Uncaught ValueError: range(): Argument #3 ($step) must be greater than 0 for increasing ranges in /usr/local/www/pfblockerng/pfblockerng_category_edit.php:391
Stack trace:
#0 /usr/local/www/pfblockerng/pfblockerng_category_edit.php(391): range()
#1 {main}

Gertjan

@4o4rh said in 24.03 servicewatchdog_cron unbound certificate no such file (service won't start):

ERROR: Type: 1, File: /usr/local/www/pfblockerng/pfblockerng_category_edit.php, Line: 391, Message: Uncaught ValueError: range(): Argument #3 ($step) must be greater than 0 for increasing ranges in /usr/local/www/pfblockerng/pfblockerng_category_edit.php:391

This one ?

stephenw10

Yup almost certainly that is generating that error.

But that shouldn't prevent upgrading. Or running pfBlocker in 24.03. It only happens if you try to edit a list.

4o4rh

@stephenw10 yep. i was trying to remove one of the failing downloads. how do you add the official patch via system/patches pls?

I tried a couple of methods i get

• does not aply cleanly
• does not revert cleanly

stephenw10

The default settings there should work:

4o4rh

@stephenw10 got that thanks. seems there are still some issues with dns resolution on the internal network

JonathanLee

@Gertjan haha noooo watchdog is like a beefed up junkyard dog that won’t stop barking until you find out what is going on

4o4rh

@stephenw10 Static DHCP entries are not resolving. Upon checking the ui for DNS Resolver, there is no longer the checkbox for "DHCP Registration" and "Static DHCP"

4o4rh

@JonathanLee misdirection. I already posted what the root cause was. everything is working now, except Static DHCP registrations in the DNS Resolver - checkbox is missing now

Gertjan

@4o4rh

You mean these :

I'm using 24.03, and I see them.

Probably because :