DNSBL enabled fail, SSL handshake failed



  • Hi

    I'm new to pfsense and tried to setup a DNSBL. I had it working once but had to do a factory reset on my device due to some other failed experiments.

    on my second time setting up pfBlockerNG with DNSBL I got everything setup as before but the DNSBL doesn't screen the packages. in the pfblockerng.log i can find the following:

    Assembling DNSBL database...
    Configuring DNSBL... completed [ 11/16/18 18:24:02 ]
    Reloading Unbound Resolver..
    DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***
    error: SSL handshake failed
    34391444536:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:.... Not completed. [ 11/16/18 18:24:03 ]

    *** DNSBL update [ 0 ] [ 213929 ] ... OUT OF SYNC ! ***
    Adding DNSBL Unbound server:include option

    the pfsense is my only dns server in my network and no dnsservers are configured in the general config.
    my DNSBL feeds are also updating as they should (I spare you the wall of text from the log)

    on the dashboard the DNSBL shows the yellow explemationmark with the message DNSBL is out of Sync. Perform a force reload to correct, which I have done several times already.

    VIP is accessible from my clients which makes me think that DNSBL is actally runnin (or part of it is)

    Does anyone have an Idea on how to resolve this issue?


  • Moderator

    @thegis said in DNSBL enabled fail, SSL handshake failed:

    error: SSL handshake failed
    34391444536:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:.... Not completed. [ 11/16/18 18:24:03 ]

    There is some issue with the pfSense Resolver (Unbound).
    Increase the Log Verbosity setting to "2" and check the Resolver.log for additional clues.



  • @thegis said in DNSBL enabled fail, SSL handshake failed:

    14090086

    This is what I saw after a reload of DNSBL. It might be worth mentioning that I used the backup/restore function for the dns resolver settings after my factory reset.

    Nov 16 19:55:05 unbound 11393:3 info: NSEC3s for the referral proved no DS.
    Nov 16 19:55:05 unbound 11393:3 info: Verified that unsigned response is INSECURE
    Nov 16 19:55:09 unbound 11393:0 error: remote control connection closed prematurely
    Nov 16 19:55:09 unbound 11393:0 notice: failed connection from 127.0.0.1 port 24488
    Nov 16 19:55:09 unbound 11393:0 error: remote control failed ssl crypto error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
    Nov 16 19:55:14 unbound 11393:0 error: remote control connection closed prematurely
    Nov 16 19:55:14 unbound 11393:0 notice: failed connection from 127.0.0.1 port 25340
    Nov 16 19:55:14 unbound 11393:0 error: remote control failed ssl crypto error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate


  • Moderator

    @thegis

    Try to disable DNSSEC and reboot, then re-enable it.



  • I did the steps to no avail.
    I have uploaded my unbound.conf and remotecontrol.conf. hopefully you can help me figure out what setting is wrong.
    0_1542452701420_conf.zip