Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver - Unable to save

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 5 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PrimusNZP
      PrimusNZ
      last edited by PrimusNZ

      pfsence Community:

      2.4.4-RELEASE-p2 (amd64) 
      built on Wed Dec 12 07:40:18 EST 2018 
      FreeBSD 11.2-RELEASE-p6 
      

      I am unable to save any changes to my DNS Resolver settings,

      While symptoms are similar to this thread: https://forum.netgate.com/topic/105345/dns-resolver-unbound-can-t-change-config they are also very different.

      The error I get is:

      The generated config file cannot be parsed by unbound. Please correct the following errors:
      /var/unbound/test/unbound_server.key: No such file or directory
      [1555454130] unbound-checkconf[25658:0] fatal error: server-key-file: "/var/unbound/test/unbound_server.key" does not exist
      

      These files exist under /var/unbound (Along with the root.key)

      mkdir /var/unbound/test/
      cp -ax /var/unbound/*.{key,pem} /var/unbound/test/
      

      Does not work
      Rebooting the system does not work.
      Regenerating the keys also did not work.

      From looking at the source of /etc/inc/unbound.inc in the function do_as_unbound_user, The following line doesn't appear to be executing correctly
      mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}{$param1}' | /usr/bin/su -m unbound", true); and running this command manually from an SSH or console session (Changing to use paths instead of variables) also seems to fail:

      [2.4.4-RELEASE][root@firewall.REDACTED]/etc/inc: echo '/usr/local/sbin/unbound-control-setup -d /var/unbound/test' | /usr/bin/su -m unbound
      pfSense - Netgate Device ID: REDACTED
      
      *** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on firewall ***
      
       WAN (wan)       -> pppoe0     -> v4/PPPoE: REDACTED/32
       LAN (lan)       -> igb1       -> v4: 192.168.254.1/24
       HA (opt1)       -> igb2       -> v4: 192.168.253.1/24
       GAMING (opt2)   -> igb3       -> v4: 192.168.252.1/24
       VLAN_TEST (opt3) -> igb1.50    -> v4: 192.168.50.1/24
      
       0) Logout (SSH only)                  9) pfTop
       1) Assign Interfaces                 10) Filter Logs
       2) Set interface(s) IP address       11) Restart webConfigurator
       3) Reset webConfigurator password    12) PHP shell + pfSense tools
       4) Reset to factory defaults         13) Update from console
       5) Reboot system                     14) Disable Secure Shell (sshd)
       6) Halt system                       15) Restore recent configuration
       7) Ping host                         16) Restart PHP-FPM
       8) Shell
      
      
      pfSense - Netgate Device ID: REDACTED
      
      *** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on firewall ***
      
       WAN (wan)       -> pppoe0     -> v4/PPPoE: REDACTED/32
       LAN (lan)       -> igb1       -> v4: 192.168.254.1/24
       HA (opt1)       -> igb2       -> v4: 192.168.253.1/24
       GAMING (opt2)   -> igb3       -> v4: 192.168.252.1/24
       VLAN_TEST (opt3) -> igb1.50    -> v4: 192.168.50.1/24
      
       0) Logout (SSH only)                  9) pfTop
       1) Assign Interfaces                 10) Filter Logs
       2) Set interface(s) IP address       11) Restart webConfigurator
       3) Reset webConfigurator password    12) PHP shell + pfSense tools
       4) Reset to factory defaults         13) Update from console
       5) Reboot system                     14) Disable Secure Shell (sshd)
       6) Halt system                       15) Restore recent configuration
       7) Ping host                         16) Restart PHP-FPM
       8) Shell
      
      
      kill: 25694: Operation not permitted
      

      However if i switch to the unbound user using su -m unbound and then run /usr/local/sbin/unbound-control-setup -d /var/unbound/test the command succeeds.

      Furthermore, if I edit /etc/in/unbound.inc and modify function test_unbound_config and comment out the
      rmdir_recursive($cfgdir); line, then su to the unbound user and then run the above command. The Web GUI will save once. Which brings me back to the mwexec call not running correctly, and i suspect its the piping to the su command (Since this doesn't work for me from the ssh or console either).

      The DNS Resolver Web GUI options I have enabled are:
      General:

      • DNS Query Forwarding
      • DHCP Registration
      • Static DHCP

      Advanced:

      • Hide Identity
      • Hide Version

      pfblocker is NOT installed.
      The system logs also do not show any errors or anything relating to the DNS Resolver.

      A 1 Reply Last reply Reply Quote 1
      • A
        apara @PrimusNZ
        last edited by

        @PrimusNZ I am having a similar error with the latest PfSense 2.4.4_3. Did you figure out how to get past this issue?

        1 Reply Last reply Reply Quote 0
        • nfld_republicN
          nfld_republic
          last edited by

          I don't have a "real" solution but have you tried backing up your config, reinstalling pfSense and then restoring your config? Sometimes brute force works :-)

          A 1 Reply Last reply Reply Quote 0
          • A
            apara @nfld_republic
            last edited by apara

            @nfld_republic Thanks for the suggestion. I may try that if all else fails. However, I have recently had to do just that for a different issue, so not looking forward to re-installing again.

            Right now, it seems that unbound-checkconf does not copy the keys to the ./test directory, so when it goes to check, the keys are missing with the following error:

            The following input errors were detected:

            The generated config file cannot be parsed by unbound. Please correct the following errors:
            /var/unbound/test/root.key: No such file or directory
            [1561931530] unbound-checkconf[36495:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

            I am running the latest version of PfSense 2.4.4-RELEASE-p3, so someone must have had this issue already. I found a couple of other related threads, but there were no definite solutions in there.

            nfld_republicN GertjanG 2 Replies Last reply Reply Quote 0
            • nfld_republicN
              nfld_republic @apara
              last edited by

              @apara (Sounding like I know what I'm talking about 😋 ) If you think that this is a repeatable bug you should post it to the pfSense bugtracker - https://redmine.pfsense.org/

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @apara
                last edited by

                @apara said in DNS Resolver - Unable to save:

                it seems that unbound-checkconf does not copy the keys to the ./test directory,

                It's /etc/inc/unbound.inc : line 116 :

                do_as_unbound_user("unbound-anchor", $cfgsubdir);
                

                ( $cfgsubdir being "/test" here)
                that should create a root.key file in /var/unbound/test.

                I admit that I have not the slightes idea why this works great on all my fSense systems and not yours.
                Just a wild guess : not enough entropy ? (creating keys consumes entropy).

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                A 1 Reply Last reply Reply Quote 0
                • A
                  apara @Gertjan
                  last edited by

                  @Gertjan is there a way to increase the enthropy?

                  Are there any logs I can look at or increase verbosity to diagnose any issues?

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @apara
                    last edited by

                    @apara said in DNS Resolver - Unable to save:

                    @Gertjan is there a way to increase the enthropy?

                    Dono .... if that's the case.

                    What I did to check things was commenting this line : /etc/inc/unbound.inc line 123 :

                    rmdir_recursive($cfgdir);
                    

                    Now you can inspect the /var/unbound/test directory yourself.

                    You could even create this missing root.key (/var/unbound/test/root.key) as it is created by /etc/inc/unbound.inc - see line 564

                    True, this one :

                    mwexec("echo '/usr/local/sbin/unbound-anchor -a {$root_key_file}' | /usr/bin/su -m unbound", true);
                    

                    comes back with a ....

                    kill: 25188: Operation not permitted

                    When I run it like this :

                    /usr/bin/su -m unbound
                    

                    (switch to suer unbond)

                    and then

                    /usr/local/sbin/unbound-anchor -a /var/unbound/test/root.key
                    

                    my root key is created (in /var/unbound/test/)

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • B
                      bbrendon
                      last edited by bbrendon

                      Has anyone gotten past this? Is seems like it should be so simple. I can't figure it out either! (v 2.4.5-p1)

                      1 Reply Last reply Reply Quote 0
                      • B
                        bbrendon
                        last edited by

                        I got past it somehow. I "think" either messing with /root/.profile or a reboot fixed it.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.