Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] pfBlockerNG - Reloading unbound fails

    Scheduled Pinned Locked Moved pfBlockerNG
    18 Posts 8 Posters 12.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      @fpv:

      Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
      Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 24090
      Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
      Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
      Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 48160
      Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
      Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
      Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 60622
      Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
      Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
      Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 35310
      Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
      Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
      Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 10312
      Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely

      Any ideas where I should look next?

      Did you enable DNSSEC in the Resolver? If you're using the Resolver in "Forwarder mode", ensure that the DNS Servers that your using support DNSSEC.

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • F
        fpv
        last edited by

        Thanks for getting back so quickly. DNSSEC was enabled, forwarding was not. I disabled DNSSEC, restarted unbound and tried again, but the messages remain the same on both fronts.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          Enable "Suppression" in the pfBlockerNG General Tab, then run a "Force Reload - All" and see if that fixes it for you…

          Does this command execute ok?

          unbound-control -c /var/unbound/unbound.conf status
          

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • F
            fpv
            last edited by

            Enabled suppression and tried again, still the same.

            And no, the command does not execute OK:

            error: Error setting up SSL_CTX client key and cert
            34386131464:error:0200100D:system library:fopen:Permission denied:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
            34386131464:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
            34386131464:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
            
            
            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              Something is wrong with the Resolver installation… Leave DNSBL disabled for now, and post in the DHCP/DNS section to see how to fix that issue with the base software...

              Make sure to post what version of pfSense you are using. Or maybe try a fresh install and copy back you current config?

              Once you have the Resolver functional, then re-enable DNSBL...

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • F
                fpv
                last edited by

                All right, thanks for your help.

                One more thing: When I ran the unbound-control command just then I was NOT logged in as admin/root, but as another user who I thought had the same rights, which does not seem to be true. Running as root gives me

                unbound-control -c /var/unbound/unbound.conf status
                error: SSL handshake failed
                34386131464:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185:
                
                1 Reply Last reply Reply Quote 0
                • F
                  fpv
                  last edited by

                  I don't know how, but a reboot seems to have fixed it. unbound doesn't throw any errors, and DNSBL work as they should.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Coornail
                    last edited by

                    I had the same problem, restart didn't work for me.

                    What did help is that I disabled EasyPrivacy in DNSBL EasyList.

                    Not sure why this happened exactly, but maybe it will help people out who find this topic.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lmannyr
                      last edited by

                      I had this same Error: Reloading Unbound… Failed to Reload... Restoring previous database.... Not completed.

                      Disabling EasyPrivacy in DNSBL EasyList also worked for me.

                      Using PFSense 2.4.2 p1 latest release

                      1 Reply Last reply Reply Quote 0
                      • S
                        Superluminar
                        last edited by

                        I had the same issues and found another solution:

                        Sometimes the certificates generated by ubound are not valid (by time/date/etc.).

                        Solution: delete all certificates from ubound in the folder /var/ubound/ - than restart pfsense/ubound.

                        aleareroA 1 Reply Last reply Reply Quote 1
                        • noplanN
                          noplan
                          last edited by

                          same here,
                          after deleting

                          unbound_control.key
                          unbound_control.pem
                          unbound_server.key
                          unbound_server.pem

                          reboot everything worked no error in

                          unbound-control -c /var/unbound/unbound.conf status

                          aleareroA juanzelliJ 2 Replies Last reply Reply Quote 3
                          • aleareroA
                            alearero @noplan
                            last edited by

                            @noplan said in [SOLVED] pfBlockerNG - Reloading unbound fails:

                            unbound-control -c /var/unbound/unbound.conf status

                            Hello, I am a beginner in pfsense, please can you tell me what are the commands to delete these files? or is there an interface to remove them?

                            1 Reply Last reply Reply Quote 0
                            • aleareroA
                              alearero @Superluminar
                              last edited by

                              @Superluminar

                              Hello, I am a beginner in pfsense, please can you tell me what are the commands to delete these files? or is there an interface to remove them?

                              1 Reply Last reply Reply Quote 0
                              • noplanN
                                noplan
                                last edited by

                                rm unbound_control.key
                                

                                be aware ! and understand what you are doing.

                                brNp

                                aleareroA 1 Reply Last reply Reply Quote 0
                                • aleareroA
                                  alearero @noplan
                                  last edited by

                                  @noplan

                                  It worked for me, thanks everyone.

                                  2ec23146-c625-4a53-acb3-5539f98decf9-image.png

                                  1 Reply Last reply Reply Quote 1
                                  • noplanN
                                    noplan
                                    last edited by

                                    cool thing !
                                    have fun & stay safe nP

                                    1 Reply Last reply Reply Quote 0
                                    • juanzelliJ
                                      juanzelli @noplan
                                      last edited by

                                      @noplan Many thanks. Removing those files (dated 1969) and restarting the Unbound service worked for me

                                      Netgate 4100 and HPE InstantOn network at home

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.