unbound fails to start, after bungled external SSL cert installation
-
I tried to install & use a Let's Encrypt SSL Cert for the pfSense webconfigurator, and it seems to have gone badly wrong and I switched back to the default SSL cert, but now unbound fails to [re]start, which proved quite the annoyance.
I logged in via SSH and tried to start it manually, so that I could see the error messages: -
[2.4.5-DEVELOPMENT][root@pfSense.furrie.net]/root: /usr/local/sbin/unbound -c /var/unbound/unbound.conf [1557785901] unbound[2889:0] error: error for cert file: /var/unbound/sslcert.crt [1557785901] unbound[2889:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1557785901] unbound[2889:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1557785901] unbound[2889:0] fatal error: could not set up listen SSL_CTX
-
Hi,
[1557785901] unbound[2889:0] error: error for cert file: /var/unbound/sslcert.crt
What does the file contains ? (a .crt or PEM file is readable)
Delete that file, and the /var/unbound/sslcert.key file and start unbound.
[1557785901] unbound[2889:0] fatal error: could not set up listen SSL_CTX
Do didn't activate
by any chance ?
If so => Don't !! -
@Gertjan yes, yes I did!
I've just unticked that checkbox & clicked save, which brought unbound back up :)
Thank you
[2.4.5-DEVELOPMENT][root@pfSense.furrie.net]/root: ls -la /var/unbound/sslcert.crt
-rw-r--r-- 1 root unbound 0 May 12 17:42 /var/unbound/sslcert.crt
[2.4.5-DEVELOPMENT][root@pfSense.furrie.net]/root: file /var/unbound/sslcert.crt
/var/unbound/sslcert.crt: empty
[2.4.5-DEVELOPMENT][root@pfSense.furrie.net]/root: ls -l /var/unbound/sslcert.key
-rw------- 1 root unbound 0 May 12 17:42 /var/unbound/sslcert.key -
Why did you have it checked in the first place?
-
@johnpoz I wanted the pfSense DNS resolver to respond to incoming SSL/TLS queries from local clients
-
@furriephillips said in unbound fails to start, after bungled external SSL cert installation:
DNS resolver to respond to incoming SSL/TLS queries from local clients
That is pretty stupid if you ask me... So you local network is hostile?
Or was it that your dns was too fast and your were looking to make it slower and require more config and way more resources.. And more complex to troubleshoot, etc.. ;)