pfblocker pfb_dnsbl service not starting

popeel-SSH

I have a production firewall and trying to configure the pfblocker and the DNSBL isn't starting up with error

(/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/fdevent.c.946) fdevent_load_file() /var/unbound/dnsbl_cert.pem: No such file or directory
(/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/server.c.1655) Initialization of plugins failed. Going down.

pfsense - 25.07.1-RELEASE
pfBlockerNG-devel - 3.2.10

Any suggestions would be greatly appreciated! I have already reboot the pfSense.

Gertjan

The dnsbl part of pfBlockerng uses a web server ("lighttpd") and this process needs a certicate.
Before lighttpd gets started, the correct files are put in place.
The issue : several files will be placed there, but one :

@popeel-SSH said in pfblocker pfb_dnsbl service not starting:

/var/unbound/dnsbl_cert.pem

isn't there.
Common reasons :
"disk full" ?
and before you start to check what the space left of your pfSense disk is : be ware that the "unbound" folder /var/unbound/ is a special place : it's chrooted which means it runs in its won 'protected' environment, not on the global pfSense disk space.

This is my copy of that 'space' :

where I highlighted the file that you were missing.
As you can see, the most important core system folders are also mounted in that special place, as /usr/* /lib/* /dev/* etc

Can you list the file you have in your /var/unbound/
Like this :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: ls -al /var/unbound
total 2298
drwxr-xr-x   8 unbound unbound      35 Oct  8 13:38 .
drwxr-xr-x  31 root    wheel        31 Dec  6  2023 ..
-rw-r--r--   1 root    unbound     524 Sep 24 13:47 access_lists.conf
drwxr-xr-x   2 unbound unbound       2 Dec  6  2023 conf.d
dr-xr-xr-x  17 root    wheel       512 Aug 20 07:35 dev
-rw-r--r--   1 root    unbound       0 Sep 24 13:47 dhcpleases_entries.conf
-rw-r--r--   1 root    unbound    3359 Oct  1 08:28 dnsbl_cert.pem
-rw-r--r--   1 root    unbound       0 Sep 24 13:47 domainoverrides.conf
-rw-r--r--   1 root    unbound    8089 Sep 24 13:47 host_entries.conf
drwxr-xr-x   2 root    unbound       4 Feb 26  2025 leases
drwxr-xr-x   4 root    wheel        83 Aug 20 07:33 lib
-rw-r--r--   1 root    unbound    2264 Oct  1 08:28 pfb_dnsbl_lighty.conf
-rw-r--r--   1 unbound unbound   16384 Oct  8 08:37 pfb_py_cache.sqlite
-rw-r--r--   1 root    unbound       6 Oct  6 00:00 pfb_py_count
-rw-r--r--   1 root    unbound  828243 Oct  6 00:00 pfb_py_data.txt
-rw-r--r--   1 unbound unbound    8192 Oct  8 11:50 pfb_py_dnsbl.sqlite
-rw-r--r--   1 root    unbound 1687428 Oct  1 08:28 pfb_py_hsts.txt
-rw-r--r--   1 unbound unbound   20480 Oct  8 13:38 pfb_py_resolver.sqlite
-rw-r--r--   1 root    unbound    5242 Jul 25 13:33 pfb_py_ss.txt
-rw-r--r--   1 root    unbound    1373 Jul 25 13:34 pfb_py_whitelist.txt
-rw-r--r--   1 root    unbound 3156285 Oct  6 00:00 pfb_py_zone.txt
-rw-r--r--   1 root    unbound     355 Aug 30 13:04 pfb_unbound.ini
-rw-r--r--   1 root    unbound   66533 Oct  1 08:28 pfb_unbound.py
-rw-r--r--   1 root    unbound    5527 Oct  1 08:28 pfb_unbound_include.inc
-rw-r--r--   1 root    unbound     300 Nov 19  2023 remotecontrol.conf
-rw-r--r--   1 unbound unbound    1250 Oct  8 09:33 root.key
-rw-r--r--   1 root    unbound    5605 Sep 24 13:47 sslcert.crt
-rw-------   1 root    unbound    1675 Sep 24 13:47 sslcert.key
-rw-r--r--   1 unbound unbound    2250 Oct  1 08:28 unbound.conf
-rw-------   1 unbound unbound    2484 Nov 19  2023 unbound_control.key
-rw-r-----   1 unbound unbound    1501 Nov 19  2023 unbound_control.pem
-rw-------   1 unbound unbound    2484 Nov 19  2023 unbound_server.key
-rw-r-----   1 unbound unbound    1549 Nov 19  2023 unbound_server.pem
drwxr-xr-x   3 root    unbound       3 Nov 19  2023 usr
drwxr-xr-x   3 root    unbound       3 Nov 19  2023 var

and while you are inspecting that place, have a look at all the sub (and sub sub and so on) folders and look for 'big' files. Start with the most logic place : /var/unbound/var/log/pfblockerng ^^
Check also /var/unbound/leases/

Another check : with your favourite FreeBSD editor (vi ^^) or 'ee', create a small file yourself.
My "dnsbl_cert.pem" is just over 3 Kilobytes in size.
Fill up a file with 4 K of rubish, and can you safe it in /var/unbound/ ?

---

edit : as per forum search : https://forum.netgate.com/topic/91736/pfblockerng-v2-0-w-dnsbl/66?_=1759924437264

popeel-SSH

Thanks for the update.

Disk space is healthy. it's only used 1%.

This .pem file is missing in that unbound folder. I have created an empty file and then it's complaint "couldn't read X509 "
Because it should be a certificate file.

I am not sure why this file has not created itself.

I have removed the package and reinstall few times.

popeel-SSH

@Gertjan

Looks like I have missed so many files that includes all certificate , SSL files.

Gertjan

@popeel-SSH

Yikes ....

You saw that 298987882 ? That a file size in bytes.
Or 300 Mbytes or so.

Please, confirm that you follow the "I use pfBLockerng in '2025' mode" aka 'python mode':

and if this is the case, delete that huge "pfb_dnsbl.conf" file.

Hummm, it was created moments ago.
You are, I guess, still using pfBlockerng with 'unbound' mode.
Long story short : ..... don't (or at least, be ware of the consequences, like the problem you now have ^^)

popeel-SSH

@Gertjan

I used the unbound mode not python.

I just changed to python mode and force reload all and the issue is still there.

Gertjan

@popeel-SSH

The big file is gone ?
/var/unbound/dnsbl_cert.pem really isn't there ?

During the reload : this part :

....
Saving DNSBL statistics... completed [ 10/8/25 14:30:26 ]
Reloading Unbound Resolver (DNSBL python).
Stopping Unbound Resolver.
Unbound stopped in 2 sec.
Additional mounts (DNSBL python):
  No changes required.
Starting Unbound Resolver... completed [ 10/8/25 14:30:28 ]
Resolver cache restored [ 10/8/25 14:30:29 ]
DNSBL update [ 79112 | PASSED  ]... completed
....

what does your reload log say ?

You can also try : stop unbound manually on the dashboard.
Count to 3.
Start it on the same place.
Restart/reload pfBlockerng again.

popeel-SSH

@Gertjan

Unfortunately, /var/unbound/dnsbl_cert.pem still isn't there.

popeel-SSH

@Gertjan said in pfblocker pfb_dnsbl service not starting:

You can also try : stop unbound manually on the dashboard.
Count to 3.
Start it on the same place.
Restart/reload pfBlockerng again.

I cannot find a place to stop unbound from dashboard. Is that in the pfsense+ web interface ?

Gertjan

@popeel-SSH said in pfblocker pfb_dnsbl service not starting:

/var/unbound/dnsbl_cert.pem still isn't there.

Look at mine :
It was (re) created 8 days ago, that's more then a week.
That was, I guess ? when I re reinstalled (== upgraded) pfgBlockerng.
So ... not sure, it isn't recreated every time ??

Look at : /usr/local/pkg/pfblockerng/pfblockerng.inc line 181 : that where the file is created.
That will happen when you (re) install pfBlockerng.

So, give that a try ?
If there is an happy end, it will be announced by :

Btw : remove all huge DNSBL feeds first.
Go minimal mode first, nothing fancy :

I mean, I can see the place where the lighttpd config file are created (and the the cert file) at the final "update DNSBL files" stage. if that stage isn't reached, the file never gets created etc.

popeel-SSH

@Gertjan

I don't want to run any files outside the box as it's in productions. :(

I have removed the package > install it > run the wizard to configure the basic setup. (Just select LAN & WAN)

When I gone and change the python mode and reload it doesn't install the certificate and manual start gives the error

"/var/unbound/dnsbl_cert.pem: No such file or directory"

I have send a message to the developer and waiting for any update.

Gertjan

@popeel-SSH said in pfblocker pfb_dnsbl service not starting:

I don't want to run any files outside the box as it's in productions.

Outside ? What do you mean ?

---

My turn :
I deleted /var/unbound/dnsbl_cert.pem
Now, like you :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/var/unbound: ll /var/unbound/dnsbl_cert.pem
ls: /var/unbound/dnsbl_cert.pem: No such file or directory

I did a full reload (and scrolled trough the resulting log) :

You see what happened (green ^^).

And the file was there again :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/var/unbound: ll /var/unbound/dnsbl_cert.pem
-rw-r--r--  1 root unbound 3359 Oct  8 15:51 /var/unbound/dnsbl_cert.pem

For some reasons, your 'pfSense' can't create a cert ? Or it can create the cert, but can't save it at the /var/unbound/ destination..... Hummm.
I'll take this one @home, study it somewhat to find out the reason what can be the reason.

popeel-SSH

@Gertjan

Yes. It's not the only file that cannot create. There is a SSL certificate file needs to be in the same location and mine it is not.

Please let me know if you find anything.

I will wait couple of days and maybe rebuild the firewall and see if that does anything.

Thanks for your time.

Gertjan

@popeel-SSH said in pfblocker pfb_dnsbl service not starting:

Yes. It's not the only file that cannot create. There is a SSL certificate file needs to be in the same location and mine it is not.

The "dnsbl_cert.pem" is the web servers (lighttpd) certificate file.
Other files are missing ?

popeel-SSH

@Gertjan Yes. As you can see my screenshot of the unbound directory.

I am planning to rebuild the pfsense and try that. I will update you.

Thanks

popeel-SSH

@Gertjan

I have reinstall the firewall from the fresh and installed pfBlocker with minimal settings, and it is functioning properly.

After that, I performed a factory reset on the firewall, restore our config.xml, and installed pfBlocker NG with the same minimal settings, but I encountered the same error, and the certificate was not created.

Not sure what is in my config should stop this ??

These are the files in my /var/unbound

Gertjan

This :

@popeel-SSH said in pfblocker pfb_dnsbl service not starting:

performed a factory reset on the firewall, restore our config.xml

is a null operation.
Your "pfSense" as installed, is always the same.

When you discard your own setup, and go to the default setup, and re assign interface, and make it work again (LAN+WAN), and then import your previous config file, your back at square zero.

popeel-SSH

@Gertjan

I tried that too.

PFSence factry default> setup the firewall basic (without any of our config)> Install pfblockerNG run the wizard with only WAN and LAN > both pfblocker and DNSBL service runs fine and start up okay.

When I restore the config to the firewall it's then stop working.

It's something in our config causing this to stop.

Let's see pfblocker support can help on this.

I will keep updating.

Thanks

popeel-SSH

@BBcan177

Will find a solution for this sooner.

Thanks in advance. :)