Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL enabled fail, SSL handshake failed

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thegis
      last edited by Thegis

      Hi

      I'm new to pfsense and tried to setup a DNSBL. I had it working once but had to do a factory reset on my device due to some other failed experiments.

      on my second time setting up pfBlockerNG with DNSBL I got everything setup as before but the DNSBL doesn't screen the packages. in the pfblockerng.log i can find the following:

      Assembling DNSBL database...
      Configuring DNSBL... completed [ 11/16/18 18:24:02 ]
      Reloading Unbound Resolver..
      DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***
      error: SSL handshake failed
      34391444536:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:.... Not completed. [ 11/16/18 18:24:03 ]

      *** DNSBL update [ 0 ] [ 213929 ] ... OUT OF SYNC ! ***
      Adding DNSBL Unbound server:include option

      the pfsense is my only dns server in my network and no dnsservers are configured in the general config.
      my DNSBL feeds are also updating as they should (I spare you the wall of text from the log)

      on the dashboard the DNSBL shows the yellow explemationmark with the message DNSBL is out of Sync. Perform a force reload to correct, which I have done several times already.

      VIP is accessible from my clients which makes me think that DNSBL is actally runnin (or part of it is)

      Does anyone have an Idea on how to resolve this issue?

      BBcan177B 1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator @Thegis
        last edited by

        @thegis said in DNSBL enabled fail, SSL handshake failed:

        error: SSL handshake failed
        34391444536:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:.... Not completed. [ 11/16/18 18:24:03 ]

        There is some issue with the pfSense Resolver (Unbound).
        Increase the Log Verbosity setting to "2" and check the Resolver.log for additional clues.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • T
          Thegis
          last edited by

          @thegis said in DNSBL enabled fail, SSL handshake failed:

          14090086

          This is what I saw after a reload of DNSBL. It might be worth mentioning that I used the backup/restore function for the dns resolver settings after my factory reset.

          Nov 16 19:55:05 unbound 11393:3 info: NSEC3s for the referral proved no DS.
          Nov 16 19:55:05 unbound 11393:3 info: Verified that unsigned response is INSECURE
          Nov 16 19:55:09 unbound 11393:0 error: remote control connection closed prematurely
          Nov 16 19:55:09 unbound 11393:0 notice: failed connection from 127.0.0.1 port 24488
          Nov 16 19:55:09 unbound 11393:0 error: remote control failed ssl crypto error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
          Nov 16 19:55:14 unbound 11393:0 error: remote control connection closed prematurely
          Nov 16 19:55:14 unbound 11393:0 notice: failed connection from 127.0.0.1 port 25340
          Nov 16 19:55:14 unbound 11393:0 error: remote control failed ssl crypto error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

          BBcan177B 1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator @Thegis
            last edited by

            @thegis

            Try to disable DNSSEC and reboot, then re-enable it.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • T
              Thegis
              last edited by Thegis

              I did the steps to no avail.
              I have uploaded my unbound.conf and remotecontrol.conf. hopefully you can help me figure out what setting is wrong.
              0_1542452701420_conf.zip

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.