[SOLVED] pfBlockerNG - Reloading unbound fails



  • Hello!

    I installed pfSense 2.3.2 and wanted to give pfBlockerNG a try. I activated the EasyList for DNSBL, but there is an error when unbound is supposed to be reloaded during the update/refresh.

     UPDATE PROCESS START [ 09/29/16 17:54:50 ]
    
    ===[  DNSBL Process  ]================================================
    
    [ EZlist ]		 Reload . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      5844     5518       0          0          0          5518                 
      ----------------------------------------------------------------------
      IP count=28
    
    [ EZpriv ]		 Reload [ 09/29/16 17:54:52 ] . completed ..
      ----------------------------------------------------------------------
      Orig.    Unique     # Dups     # White    # Alexa    Final                
      ----------------------------------------------------------------------
      2659     2640       20         0          0          2620                 
      ----------------------------------------------------------------------
      IP count=14
    
    [ DNSBL_IP ]		 Updating aliastable [ 09/29/16 17:54:53 ]... 
      no changes.
      Total IP count = 42
    
    ------------------------------------------
    Assembling database... completed
    Validating database... completed [ 09/29/16 17:54:54 ]
    Reloading Unbound... Failed to Reload... Restoring previous database.... Not completed.
    
    *** DNSBL update [ 0 ] [ 8138 ] ... OUT OF SYNC ! ***
    ------------------------------------------
    
    ===[  Continent Process  ]============================================
    
    ===[  Aliastables / Rules  ]==========================================
    
    No changes to Firewall rules, skipping Filter Reload
    No Changes to Aliases, Skipping pfctl Update
    
    ===[ FINAL Processing ]=====================================
    
       [ Original IP count   ]  [ 0 ]
    
       [ Final IP Count  ]  [ 0 ]
    
    ===[ DNSBL Domain/IP Counts ] ===================================
    
        8180 total
        5518 /var/db/pfblockerng/dnsbl/EZlist.txt
        2620 /var/db/pfblockerng/dnsbl/EZpriv.txt
          28 /var/db/pfblockerng/dnsbl/EZlist.ip
          14 /var/db/pfblockerng/dnsbl/EZpriv.ip
    ===============================================================
    
    Database Sanity check [  PASSED  ]
    ------------------------
    Masterfile/Deny folder uniq check
    Deny folder/Masterfile uniq check
    
    Sync check (Pass=No IPs reported)
    ----------
    
    IPv4 alias tables IP count
    -----------------------------
    42
    
    IPv6 alias tables IP count
    -----------------------------
    0
    
    Alias table IP Counts
    -----------------------------
          42 /var/db/aliastables/pfB_DNSBLIP.txt
    
    pfSense Table Stats
    -------------------
    table-entries hard limit  2000000
    Table Usage Count         66
    
     UPDATE PROCESS ENDED [ 09/29/16 17:54:56 ]
    
    

    At the same time these messages appear in the DNS Resolver log (newest line at the top). Never mind the different time stamps to above, I tried it multiple times.

    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 	unbound 	71145:0 	notice: failed connection from 127.0.0.1 port 24090
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control connection closed prematurely
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 	unbound 	71145:0 	notice: failed connection from 127.0.0.1 port 48160
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control connection closed prematurely
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 	unbound 	71145:0 	notice: failed connection from 127.0.0.1 port 60622
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control connection closed prematurely
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 	unbound 	71145:0 	notice: failed connection from 127.0.0.1 port 35310
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control connection closed prematurely
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 	unbound 	71145:0 	notice: failed connection from 127.0.0.1 port 10312
    Sep 29 18:07:02 	unbound 	71145:0 	error: remote control connection closed prematurely 
    

    Any ideas where I should look next?


  • Moderator

    @fpv:

    Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 24090
    Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
    Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 48160
    Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
    Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 60622
    Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
    Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 35310
    Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
    Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
    Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 10312
    Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely

    Any ideas where I should look next?

    Did you enable DNSSEC in the Resolver? If you're using the Resolver in "Forwarder mode", ensure that the DNS Servers that your using support DNSSEC.



  • Thanks for getting back so quickly. DNSSEC was enabled, forwarding was not. I disabled DNSSEC, restarted unbound and tried again, but the messages remain the same on both fronts.


  • Moderator

    Enable "Suppression" in the pfBlockerNG General Tab, then run a "Force Reload - All" and see if that fixes it for you…

    Does this command execute ok?

    unbound-control -c /var/unbound/unbound.conf status
    


  • Enabled suppression and tried again, still the same.

    And no, the command does not execute OK:

    error: Error setting up SSL_CTX client key and cert
    34386131464:error:0200100D:system library:fopen:Permission denied:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
    34386131464:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
    34386131464:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
    
    

  • Moderator

    Something is wrong with the Resolver installation… Leave DNSBL disabled for now, and post in the DHCP/DNS section to see how to fix that issue with the base software...

    Make sure to post what version of pfSense you are using. Or maybe try a fresh install and copy back you current config?

    Once you have the Resolver functional, then re-enable DNSBL...



  • All right, thanks for your help.

    One more thing: When I ran the unbound-control command just then I was NOT logged in as admin/root, but as another user who I thought had the same rights, which does not seem to be true. Running as root gives me

    unbound-control -c /var/unbound/unbound.conf status
    error: SSL handshake failed
    34386131464:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185:
    


  • I don't know how, but a reboot seems to have fixed it. unbound doesn't throw any errors, and DNSBL work as they should.



  • I had the same problem, restart didn't work for me.

    What did help is that I disabled EasyPrivacy in DNSBL EasyList.

    Not sure why this happened exactly, but maybe it will help people out who find this topic.



  • I had this same Error: Reloading Unbound… Failed to Reload... Restoring previous database.... Not completed.

    Disabling EasyPrivacy in DNSBL EasyList also worked for me.

    Using PFSense 2.4.2 p1 latest release



  • I had the same issues and found another solution:

    Sometimes the certificates generated by ubound are not valid (by time/date/etc.).

    Solution: delete all certificates from ubound in the folder /var/ubound/ - than restart pfsense/ubound.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy