Netgate SG-1100 - 2.4.4-RELEASE-p3 - Unbound Won't start
-
We have qty of 2 Netgate SG-1100, both running Pfsense 2.4.4-RELEASE-p3. Both have the DNS Resolver (unbound) enabled, but both won't start the unbound service.
The DNS Resolver Log only has:
May 24 11:12:29 kernel unbound: 1.8.1 -> 1.9.1 [pfSense]The General Log has:
May 31 14:11:09 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:11:10 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:11:10 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:11:13 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:11:13 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:11:15 dhcpleases kqueue error: unknown
May 31 14:11:15 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:12:03 dhcpleases /etc/hosts changed size from original!
May 31 14:12:03 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
May 31 14:12:08 php-fpm 95254 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559333528] unbound[47979:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559333528] unbound[47979:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559333528] unbound[47979:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559333528] unbound[47979:0] fatal error: could not set up remote-control'The DHCP Server logs has:
May 31 14:16:59 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.DNS Forwarder is disabled
We have the DNS Resolver enabled, and listening on port 53, and 853 for SSL/TLS.
Nothing we have tried in the other forum posts has worked.
https://forum.netgate.com/topic/94320/unbound-does-not-automatically-start-after-reboot/13
https://www.reddit.com/r/PFSENSE/comments/73x9kq/unbound_not_starting_no_dns_resolving_for_network/DNS Resolution appears to work, however this service is not running so not sure how it could be working, but not running.
Any suggestions?
-
https://forum.netgate.com/topic/140349/dsnbl-error-connect-can-t-assign-requested-address-for-127-0-0-1-port-953/34
-
This does not apply to this issue. I don't even have a file or directory called : /var/unbound.
I do not have the PfblockerNG installed, this is a Netgate Hardware Appliance.
We also are not using any other ports other than default. So not using port 953.
-
Well a problem with the certificate doesn't involve pfblockerNG.
Did you save setting in DNS Resolver, maybe that could create the /var/unbound folder and start the service.
-
Saved setting 5 times, and still no change, and /var/unbound was not created.
Oddly the 2nd one now is working, no change was made and it was saved.
The other one is not working, no change was made and it was save, but still not working.
Both do not have /var/unbound created, but one works, the other does not, both are the same model and firmware level.
Same error as listed in logs.
We also see this in the logs as well:
Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.After clicking SAVE and then APPLY, I get that the change was successful:
The changes have been applied successfully.
but still will not start the unbound service. -
I am getting now alot of these on the SG-1100 that is NOT working:
/services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559525137] unbound[99413:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559525137] unbound[99413:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559525137] unbound[99413:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559525137] unbound[99413:0] fatal error: could not set up remote-control'
Would deleting the pem files correct this issue?
-
Yes, stop unbound, delete all certificate files, save settings, start unbound, if not, reboot the system.
-
@RonpfS Unbound is not running, actually it won't start, that is what started this whole issue, I have one SG-1100 that unbound starts on, and another SG-1100 that unbound it won't start.....I'll try to deleting the pem files and restart unbound and report back the findings.
-
That worked! Thanks @RonpfS - I now have unbound service running on both SG-1100 Appliances. THANKS ALOT!
-
The directoy
/var/unboundwas always there .
If not, this error :
May 31 14:12:08 php-fpm 95254 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559333528] unbound[47979:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559333528] unbound[47979:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559333528] unbound[47979:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559333528] unbound[47979:0] fatal error: could not set up remote-control'wasn't possible.
unbound found its settings file /var/unbound/unbound.conf and had troubles with reading a cert file, mentionned in the /var/unbound/unbound.conf
That is a file called unbound.conf in the directory /var/unbound/. So both exist.Check why you couldn't find /var/unbound/
[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cd /var [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var: cd unbound/ [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al total 80 drwxr-xr-x 5 unbound unbound 1024 May 22 17:22 . drwxr-xr-x 32 root wheel 512 May 16 00:55 .. -rw-r--r-- 1 root unbound 345 May 22 17:22 access_lists.conf drwxr-xr-x 2 unbound unbound 512 May 16 00:55 conf.d -rw-r--r-- 1 root unbound 0 May 22 17:22 dhcpleases_entries.conf -rw-r--r-- 1 root unbound 3578 Nov 25 2015 dnsbl_cert.pem -rw-r--r-- 1 root unbound 0 May 22 17:22 domainoverrides.conf -rw-r--r-- 1 root unbound 6192 May 22 17:22 host_entries.conf -rw-r--r-- 1 unbound unbound 1668 May 21 12:59 netflix-no-aaaa.py -rw-r--r-- 1 root unbound 0 Jun 7 2016 pfb_dnsbl.conf -rw-r--r-- 1 root unbound 1216 May 30 2016 pfb_dnsbl_lighty.conf -rw-r--r-- 1 root unbound 300 Jan 29 2015 remotecontrol.conf -rw-r--r-- 1 unbound unbound 759 May 22 17:22 root.key -rw-r--r-- 1 root unbound 3953 Mar 1 17:30 sslcert.crt -rw------- 1 root unbound 3247 Mar 1 17:30 sslcert.key -rw-r--r-- 1 root unbound 1985 May 22 17:22 unbound.conf -rw-r----- 1 unbound unbound 1277 Jan 29 2015 unbound_control.key -rw-r----- 1 unbound unbound 802 Jan 29 2015 unbound_control.pem -rw-r----- 1 unbound unbound 1277 Jan 29 2015 unbound_server.key -rw-r----- 1 unbound unbound 790 Jan 29 2015 unbound_server.pem drwxr-xr-x 3 root unbound 512 Jan 8 2018 usr drwxr-xr-x 3 root unbound 512 Jan 8 2018 varYou are using the console access, right .
-
@BEB-Consulting said in Netgate SG-1100 - 2.4.4-RELEASE-p3 - Unbound Won't start:
and 853 for SSL/TLS.
More than likely this was the root of your problem... If your going to want unbound to listen on 853, then you have to take the time to make sure the cert its going to use is valid, etc.
That is clearly not selected out of the box.. Why did you try and enable that? In what possible scenario would you want/need to serve local dns over tls? Do you have your unbound open to the public?
