[SOLVED] pfBlockerNG - Reloading unbound fails

BBcan177

@fpv:

Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 24090
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 48160
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 60622
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 35310
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 10312
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely

Any ideas where I should look next?

Did you enable DNSSEC in the Resolver? If you're using the Resolver in "Forwarder mode", ensure that the DNS Servers that your using support DNSSEC.

fpv

Thanks for getting back so quickly. DNSSEC was enabled, forwarding was not. I disabled DNSSEC, restarted unbound and tried again, but the messages remain the same on both fronts.

BBcan177

Enable "Suppression" in the pfBlockerNG General Tab, then run a "Force Reload - All" and see if that fixes it for you…

Does this command execute ok?

unbound-control -c /var/unbound/unbound.conf status

fpv

Enabled suppression and tried again, still the same.

And no, the command does not execute OK:

error: Error setting up SSL_CTX client key and cert
34386131464:error:0200100D:system library:fopen:Permission denied:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34386131464:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34386131464:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:

BBcan177

Something is wrong with the Resolver installation… Leave DNSBL disabled for now, and post in the DHCP/DNS section to see how to fix that issue with the base software...

Make sure to post what version of pfSense you are using. Or maybe try a fresh install and copy back you current config?

Once you have the Resolver functional, then re-enable DNSBL...

fpv

All right, thanks for your help.

One more thing: When I ran the unbound-control command just then I was NOT logged in as admin/root, but as another user who I thought had the same rights, which does not seem to be true. Running as root gives me

unbound-control -c /var/unbound/unbound.conf status
error: SSL handshake failed
34386131464:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185:

fpv

I don't know how, but a reboot seems to have fixed it. unbound doesn't throw any errors, and DNSBL work as they should.

Coornail

I had the same problem, restart didn't work for me.

What did help is that I disabled EasyPrivacy in DNSBL EasyList.

Not sure why this happened exactly, but maybe it will help people out who find this topic.

lmannyr

I had this same Error: Reloading Unbound… Failed to Reload... Restoring previous database.... Not completed.

Disabling EasyPrivacy in DNSBL EasyList also worked for me.

Using PFSense 2.4.2 p1 latest release

Superluminar

I had the same issues and found another solution:

Sometimes the certificates generated by ubound are not valid (by time/date/etc.).

Solution: delete all certificates from ubound in the folder /var/ubound/ - than restart pfsense/ubound.

noplan

same here,
after deleting

unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem

reboot everything worked no error in

unbound-control -c /var/unbound/unbound.conf status

alearero

@noplan said in [SOLVED] pfBlockerNG - Reloading unbound fails:

unbound-control -c /var/unbound/unbound.conf status

Hello, I am a beginner in pfsense, please can you tell me what are the commands to delete these files? or is there an interface to remove them?

alearero

@Superluminar

Hello, I am a beginner in pfsense, please can you tell me what are the commands to delete these files? or is there an interface to remove them?

noplan

rm unbound_control.key

be aware ! and understand what you are doing.

brNp

alearero

@noplan

It worked for me, thanks everyone.

noplan

cool thing !
have fun & stay safe nP

juanzelli

@noplan Many thanks. Removing those files (dated 1969) and restarting the Unbound service worked for me