[SOLVED] pfBlockerNG - Reloading unbound fails
-
Hello!
I installed pfSense 2.3.2 and wanted to give pfBlockerNG a try. I activated the EasyList for DNSBL, but there is an error when unbound is supposed to be reloaded during the update/refresh.
UPDATE PROCESS START [ 09/29/16 17:54:50 ] ===[ DNSBL Process ]================================================ [ EZlist ] Reload . completed .. ---------------------------------------------------------------------- Orig. Unique # Dups # White # Alexa Final ---------------------------------------------------------------------- 5844 5518 0 0 0 5518 ---------------------------------------------------------------------- IP count=28 [ EZpriv ] Reload [ 09/29/16 17:54:52 ] . completed .. ---------------------------------------------------------------------- Orig. Unique # Dups # White # Alexa Final ---------------------------------------------------------------------- 2659 2640 20 0 0 2620 ---------------------------------------------------------------------- IP count=14 [ DNSBL_IP ] Updating aliastable [ 09/29/16 17:54:53 ]... no changes. Total IP count = 42 ------------------------------------------ Assembling database... completed Validating database... completed [ 09/29/16 17:54:54 ] Reloading Unbound... Failed to Reload... Restoring previous database.... Not completed. *** DNSBL update [ 0 ] [ 8138 ] ... OUT OF SYNC ! *** ------------------------------------------ ===[ Continent Process ]============================================ ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update ===[ FINAL Processing ]===================================== [ Original IP count ] [ 0 ] [ Final IP Count ] [ 0 ] ===[ DNSBL Domain/IP Counts ] =================================== 8180 total 5518 /var/db/pfblockerng/dnsbl/EZlist.txt 2620 /var/db/pfblockerng/dnsbl/EZpriv.txt 28 /var/db/pfblockerng/dnsbl/EZlist.ip 14 /var/db/pfblockerng/dnsbl/EZpriv.ip =============================================================== Database Sanity check [ PASSED ] ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check Sync check (Pass=No IPs reported) ---------- IPv4 alias tables IP count ----------------------------- 42 IPv6 alias tables IP count ----------------------------- 0 Alias table IP Counts ----------------------------- 42 /var/db/aliastables/pfB_DNSBLIP.txt pfSense Table Stats ------------------- table-entries hard limit 2000000 Table Usage Count 66 UPDATE PROCESS ENDED [ 09/29/16 17:54:56 ]At the same time these messages appear in the DNS Resolver log (newest line at the top). Never mind the different time stamps to above, I tried it multiple times.
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 24090 Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 48160 Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 60622 Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 35310 Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 10312 Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurelyAny ideas where I should look next?
-
@fpv:
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 24090
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 48160
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 60622
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 35310
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurely
Sep 29 18:07:02 unbound 71145:0 error: remote control failed ssl crypto error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Sep 29 18:07:02 unbound 71145:0 notice: failed connection from 127.0.0.1 port 10312
Sep 29 18:07:02 unbound 71145:0 error: remote control connection closed prematurelyAny ideas where I should look next?
Did you enable DNSSEC in the Resolver? If you're using the Resolver in "Forwarder mode", ensure that the DNS Servers that your using support DNSSEC.
-
Thanks for getting back so quickly. DNSSEC was enabled, forwarding was not. I disabled DNSSEC, restarted unbound and tried again, but the messages remain the same on both fronts.
-
Enable "Suppression" in the pfBlockerNG General Tab, then run a "Force Reload - All" and see if that fixes it for you…
Does this command execute ok?
unbound-control -c /var/unbound/unbound.conf status -
Enabled suppression and tried again, still the same.
And no, the command does not execute OK:
error: Error setting up SSL_CTX client key and cert 34386131464:error:0200100D:system library:fopen:Permission denied:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34386131464:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34386131464:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: -
Something is wrong with the Resolver installation… Leave DNSBL disabled for now, and post in the DHCP/DNS section to see how to fix that issue with the base software...
Make sure to post what version of pfSense you are using. Or maybe try a fresh install and copy back you current config?
Once you have the Resolver functional, then re-enable DNSBL...
-
All right, thanks for your help.
One more thing: When I ran the unbound-control command just then I was NOT logged in as admin/root, but as another user who I thought had the same rights, which does not seem to be true. Running as root gives me
unbound-control -c /var/unbound/unbound.conf status error: SSL handshake failed 34386131464:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: -
I don't know how, but a reboot seems to have fixed it. unbound doesn't throw any errors, and DNSBL work as they should.
-
I had the same problem, restart didn't work for me.
What did help is that I disabled EasyPrivacy in DNSBL EasyList.
Not sure why this happened exactly, but maybe it will help people out who find this topic.
-
I had this same Error: Reloading Unbound… Failed to Reload... Restoring previous database.... Not completed.
Disabling EasyPrivacy in DNSBL EasyList also worked for me.
Using PFSense 2.4.2 p1 latest release
-
I had the same issues and found another solution:
Sometimes the certificates generated by ubound are not valid (by time/date/etc.).
Solution: delete all certificates from ubound in the folder /var/ubound/ - than restart pfsense/ubound.
-
same here,
after deletingunbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pemreboot everything worked no error in
unbound-control -c /var/unbound/unbound.conf status
-
@noplan said in [SOLVED] pfBlockerNG - Reloading unbound fails:
unbound-control -c /var/unbound/unbound.conf status
Hello, I am a beginner in pfsense, please can you tell me what are the commands to delete these files? or is there an interface to remove them?
-
Hello, I am a beginner in pfsense, please can you tell me what are the commands to delete these files? or is there an interface to remove them?
-
rm unbound_control.keybe aware ! and understand what you are doing.
brNp
-
-
cool thing !
have fun & stay safe nP -
@noplan Many thanks. Removing those files (dated 1969) and restarting the Unbound service worked for me
