• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] unbound - SSL handshake error

Scheduled Pinned Locked Moved DHCP and DNS
2 Posts 1 Posters 3.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fpv
    last edited by Sep 30, 2016, 8:27 AM Sep 29, 2016, 5:28 PM

    Hello!

    I seem to have a problem with unbound. I started a thread in the pfBlockerNG subforum, because that's where the error appeared to come from at first. Please have a look here.

    So when I execute

    unbound-control -c /var/unbound/unbound.conf status
    

    I get this

    error: SSL handshake failed
    34386131464:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185:
    

    Here's the unbound.conf

    ##########################
    # Unbound Configuration
    ##########################
    
    ##
    # Server configuration
    ##
    server:
    
    chroot: /var/unbound
    username: "unbound"
    directory: "/var/unbound"
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    port: 53
    verbosity: 1
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    module-config: "iterator"
    unwanted-reply-threshold: 0
    num-queries-per-thread: 512
    jostle-timeout: 200
    infra-host-ttl: 900
    infra-cache-numhosts: 10000
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    edns-buffer-size: 4096
    cache-max-ttl: 86400
    cache-min-ttl: 0
    harden-dnssec-stripped: no
    msg-cache-size: 4m
    rrset-cache-size: 8m
    
    num-threads: 4
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 4096
    #so-rcvbuf: 4m
    
    prefetch: yes
    prefetch-key: yes
    use-caps-for-id: no
    # Statistics
    # Unbound Statistics
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: yes
    
    # Interface IP(s) to bind to
    interface: 0.0.0.0
    interface: ::0
    interface-automatic: yes
    
    # Outgoing interfaces to be used
    outgoing-interface: 87.79.65.190
    
    # DNS Rebinding
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 169.254.0.0/16
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    # Set private domains in case authoritative name server returns a Private IP address
    private-domain: "somedomain.loc"
    domain-insecure: "somedomain.loc"
    
    # Access lists
    include: /var/unbound/access_lists.conf
    
    # Static host entries
    include: /var/unbound/host_entries.conf
    
    # dhcp lease entries
    include: /var/unbound/dhcpleases_entries.conf
    
    # Domain overrides
    include: /var/unbound/domainoverrides.conf
    
    # Unbound custom options
    
    ###
    # Remote Control Config
    ###
    
    

    I am running 2.3.2-RELEASE (amd64) on SSD with RAM disks for /tmp and /var.

    If need be the machine can be reinstalled, provided that I can reuse the config, but if someone does know what's wrong I'd like to try and fix it first.

    Thanks!

    1 Reply Last reply Reply Quote 0
    • F
      fpv
      last edited by Sep 30, 2016, 8:28 AM

      Update: Had another look this morning, and the error is gone. I rebooted because of something else yesterday evening, and that seems to have done it. I thought that only works for Windows. Strange.

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received