Netgate SG-1100 - 2.4.4-RELEASE-p3 - Unbound Won't start



  • We have qty of 2 Netgate SG-1100, both running Pfsense 2.4.4-RELEASE-p3. Both have the DNS Resolver (unbound) enabled, but both won't start the unbound service.

    The DNS Resolver Log only has:
    May 24 11:12:29 kernel unbound: 1.8.1 -> 1.9.1 [pfSense]

    The General Log has:
    May 31 14:11:09 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:11:10 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:11:10 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:11:13 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:11:13 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:11:15 dhcpleases kqueue error: unknown
    May 31 14:11:15 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:12:03 dhcpleases /etc/hosts changed size from original!
    May 31 14:12:03 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
    May 31 14:12:08 php-fpm 95254 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559333528] unbound[47979:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559333528] unbound[47979:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559333528] unbound[47979:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559333528] unbound[47979:0] fatal error: could not set up remote-control'

    The DHCP Server logs has:
    May 31 14:16:59 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.

    DNS Forwarder is disabled

    We have the DNS Resolver enabled, and listening on port 53, and 853 for SSL/TLS.

    Nothing we have tried in the other forum posts has worked.
    https://forum.netgate.com/topic/94320/unbound-does-not-automatically-start-after-reboot/13
    https://www.reddit.com/r/PFSENSE/comments/73x9kq/unbound_not_starting_no_dns_resolving_for_network/

    DNS Resolution appears to work, however this service is not running so not sure how it could be working, but not running.

    Any suggestions?





  • This does not apply to this issue. I don't even have a file or directory called : /var/unbound.

    I do not have the PfblockerNG installed, this is a Netgate Hardware Appliance.

    We also are not using any other ports other than default. So not using port 953.



  • Well a problem with the certificate doesn't involve pfblockerNG.

    Did you save setting in DNS Resolver, maybe that could create the /var/unbound folder and start the service.



  • Saved setting 5 times, and still no change, and /var/unbound was not created.

    Oddly the 2nd one now is working, no change was made and it was saved.

    The other one is not working, no change was made and it was save, but still not working.

    Both do not have /var/unbound created, but one works, the other does not, both are the same model and firmware level.

    Same error as listed in logs.

    We also see this in the logs as well:
    Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.

    After clicking SAVE and then APPLY, I get that the change was successful:
    The changes have been applied successfully.
    but still will not start the unbound service.



  • I am getting now alot of these on the SG-1100 that is NOT working:

    /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559525137] unbound[99413:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559525137] unbound[99413:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559525137] unbound[99413:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559525137] unbound[99413:0] fatal error: could not set up remote-control'

    Would deleting the pem files correct this issue?



  • Yes, stop unbound, delete all certificate files, save settings, start unbound, if not, reboot the system.



  • @RonpfS Unbound is not running, actually it won't start, that is what started this whole issue, I have one SG-1100 that unbound starts on, and another SG-1100 that unbound it won't start.....I'll try to deleting the pem files and restart unbound and report back the findings.



  • That worked! Thanks @RonpfS - I now have unbound service running on both SG-1100 Appliances. THANKS ALOT!



  • The directoy

    /var/unbound
    

    was always there .

    If not, this error :

    May 31 14:12:08 php-fpm 95254 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559333528] unbound[47979:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559333528] unbound[47979:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559333528] unbound[47979:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559333528] unbound[47979:0] fatal error: could not set up remote-control'
    

    wasn't possible.

    unbound found its settings file /var/unbound/unbound.conf and had troubles with reading a cert file, mentionned in the /var/unbound/unbound.conf
    That is a file called unbound.conf in the directory /var/unbound/. So both exist.

    Check why you couldn't find /var/unbound/

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cd /var
    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var: cd unbound/
    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al 
    total 80
    drwxr-xr-x   5 unbound  unbound  1024 May 22 17:22 .
    drwxr-xr-x  32 root     wheel     512 May 16 00:55 ..
    -rw-r--r--   1 root     unbound   345 May 22 17:22 access_lists.conf
    drwxr-xr-x   2 unbound  unbound   512 May 16 00:55 conf.d
    -rw-r--r--   1 root     unbound     0 May 22 17:22 dhcpleases_entries.conf
    -rw-r--r--   1 root     unbound  3578 Nov 25  2015 dnsbl_cert.pem
    -rw-r--r--   1 root     unbound     0 May 22 17:22 domainoverrides.conf
    -rw-r--r--   1 root     unbound  6192 May 22 17:22 host_entries.conf
    -rw-r--r--   1 unbound  unbound  1668 May 21 12:59 netflix-no-aaaa.py
    -rw-r--r--   1 root     unbound     0 Jun  7  2016 pfb_dnsbl.conf
    -rw-r--r--   1 root     unbound  1216 May 30  2016 pfb_dnsbl_lighty.conf
    -rw-r--r--   1 root     unbound   300 Jan 29  2015 remotecontrol.conf
    -rw-r--r--   1 unbound  unbound   759 May 22 17:22 root.key
    -rw-r--r--   1 root     unbound  3953 Mar  1 17:30 sslcert.crt
    -rw-------   1 root     unbound  3247 Mar  1 17:30 sslcert.key
    -rw-r--r--   1 root     unbound  1985 May 22 17:22 unbound.conf
    -rw-r-----   1 unbound  unbound  1277 Jan 29  2015 unbound_control.key
    -rw-r-----   1 unbound  unbound   802 Jan 29  2015 unbound_control.pem
    -rw-r-----   1 unbound  unbound  1277 Jan 29  2015 unbound_server.key
    -rw-r-----   1 unbound  unbound   790 Jan 29  2015 unbound_server.pem
    drwxr-xr-x   3 root     unbound   512 Jan  8  2018 usr
    drwxr-xr-x   3 root     unbound   512 Jan  8  2018 var
    

    You are using the console access, right .


  • LAYER 8 Global Moderator

    @BEB-Consulting said in Netgate SG-1100 - 2.4.4-RELEASE-p3 - Unbound Won't start:

    and 853 for SSL/TLS.

    More than likely this was the root of your problem... If your going to want unbound to listen on 853, then you have to take the time to make sure the cert its going to use is valid, etc.

    That is clearly not selected out of the box.. Why did you try and enable that? In what possible scenario would you want/need to serve local dns over tls? Do you have your unbound open to the public?


Log in to reply