Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate SG-1100 - 2.4.4-RELEASE-p3 - Unbound Won't start

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    11 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BEB Consulting
      last edited by BEB Consulting

      We have qty of 2 Netgate SG-1100, both running Pfsense 2.4.4-RELEASE-p3. Both have the DNS Resolver (unbound) enabled, but both won't start the unbound service.

      The DNS Resolver Log only has:
      May 24 11:12:29 kernel unbound: 1.8.1 -> 1.9.1 [pfSense]

      The General Log has:
      May 31 14:11:09 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:11:10 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:11:10 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:11:13 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:11:13 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:11:15 dhcpleases kqueue error: unknown
      May 31 14:11:15 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:12:03 dhcpleases /etc/hosts changed size from original!
      May 31 14:12:03 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.
      May 31 14:12:08 php-fpm 95254 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559333528] unbound[47979:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559333528] unbound[47979:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559333528] unbound[47979:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559333528] unbound[47979:0] fatal error: could not set up remote-control'

      The DHCP Server logs has:
      May 31 14:16:59 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.

      DNS Forwarder is disabled

      We have the DNS Resolver enabled, and listening on port 53, and 853 for SSL/TLS.

      Nothing we have tried in the other forum posts has worked.
      https://forum.netgate.com/topic/94320/unbound-does-not-automatically-start-after-reboot/13
      https://www.reddit.com/r/PFSENSE/comments/73x9kq/unbound_not_starting_no_dns_resolving_for_network/

      DNS Resolution appears to work, however this service is not running so not sure how it could be working, but not running.

      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS
        last edited by

        https://forum.netgate.com/topic/140349/dsnbl-error-connect-can-t-assign-requested-address-for-127-0-0-1-port-953/34

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • B
          BEB Consulting
          last edited by

          This does not apply to this issue. I don't even have a file or directory called : /var/unbound.

          I do not have the PfblockerNG installed, this is a Netgate Hardware Appliance.

          We also are not using any other ports other than default. So not using port 953.

          1 Reply Last reply Reply Quote 0
          • RonpfSR
            RonpfS
            last edited by

            Well a problem with the certificate doesn't involve pfblockerNG.

            Did you save setting in DNS Resolver, maybe that could create the /var/unbound folder and start the service.

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • B
              BEB Consulting
              last edited by BEB Consulting

              Saved setting 5 times, and still no change, and /var/unbound was not created.

              Oddly the 2nd one now is working, no change was made and it was saved.

              The other one is not working, no change was made and it was save, but still not working.

              Both do not have /var/unbound created, but one works, the other does not, both are the same model and firmware level.

              Same error as listed in logs.

              We also see this in the logs as well:
              Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such file or directory.

              After clicking SAVE and then APPLY, I get that the change was successful:
              The changes have been applied successfully.
              but still will not start the unbound service.

              1 Reply Last reply Reply Quote 0
              • B
                BEB Consulting
                last edited by

                I am getting now alot of these on the SG-1100 that is NOT working:

                /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559525137] unbound[99413:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559525137] unbound[99413:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559525137] unbound[99413:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559525137] unbound[99413:0] fatal error: could not set up remote-control'

                Would deleting the pem files correct this issue?

                1 Reply Last reply Reply Quote 0
                • RonpfSR
                  RonpfS
                  last edited by

                  Yes, stop unbound, delete all certificate files, save settings, start unbound, if not, reboot the system.

                  2.4.5-RELEASE-p1 (amd64)
                  Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                  Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    BEB Consulting @RonpfS
                    last edited by

                    @RonpfS Unbound is not running, actually it won't start, that is what started this whole issue, I have one SG-1100 that unbound starts on, and another SG-1100 that unbound it won't start.....I'll try to deleting the pem files and restart unbound and report back the findings.

                    1 Reply Last reply Reply Quote 0
                    • B
                      BEB Consulting
                      last edited by

                      That worked! Thanks @RonpfS - I now have unbound service running on both SG-1100 Appliances. THANKS ALOT!

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan
                        last edited by Gertjan

                        The directoy

                        /var/unbound
                        

                        was always there .

                        If not, this error :

                        May 31 14:12:08 php-fpm 95254 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1559333528] unbound[47979:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem [1559333528] unbound[47979:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:0906D06C:PEM routines:PEM_read_bio:no start line [1559333528] unbound[47979:0] error: and additionally crypto error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [1559333528] unbound[47979:0] fatal error: could not set up remote-control'
                        

                        wasn't possible.

                        unbound found its settings file /var/unbound/unbound.conf and had troubles with reading a cert file, mentionned in the /var/unbound/unbound.conf
                        That is a file called unbound.conf in the directory /var/unbound/. So both exist.

                        Check why you couldn't find /var/unbound/

                        [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cd /var
                        [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var: cd unbound/
                        [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al 
                        total 80
                        drwxr-xr-x   5 unbound  unbound  1024 May 22 17:22 .
                        drwxr-xr-x  32 root     wheel     512 May 16 00:55 ..
                        -rw-r--r--   1 root     unbound   345 May 22 17:22 access_lists.conf
                        drwxr-xr-x   2 unbound  unbound   512 May 16 00:55 conf.d
                        -rw-r--r--   1 root     unbound     0 May 22 17:22 dhcpleases_entries.conf
                        -rw-r--r--   1 root     unbound  3578 Nov 25  2015 dnsbl_cert.pem
                        -rw-r--r--   1 root     unbound     0 May 22 17:22 domainoverrides.conf
                        -rw-r--r--   1 root     unbound  6192 May 22 17:22 host_entries.conf
                        -rw-r--r--   1 unbound  unbound  1668 May 21 12:59 netflix-no-aaaa.py
                        -rw-r--r--   1 root     unbound     0 Jun  7  2016 pfb_dnsbl.conf
                        -rw-r--r--   1 root     unbound  1216 May 30  2016 pfb_dnsbl_lighty.conf
                        -rw-r--r--   1 root     unbound   300 Jan 29  2015 remotecontrol.conf
                        -rw-r--r--   1 unbound  unbound   759 May 22 17:22 root.key
                        -rw-r--r--   1 root     unbound  3953 Mar  1 17:30 sslcert.crt
                        -rw-------   1 root     unbound  3247 Mar  1 17:30 sslcert.key
                        -rw-r--r--   1 root     unbound  1985 May 22 17:22 unbound.conf
                        -rw-r-----   1 unbound  unbound  1277 Jan 29  2015 unbound_control.key
                        -rw-r-----   1 unbound  unbound   802 Jan 29  2015 unbound_control.pem
                        -rw-r-----   1 unbound  unbound  1277 Jan 29  2015 unbound_server.key
                        -rw-r-----   1 unbound  unbound   790 Jan 29  2015 unbound_server.pem
                        drwxr-xr-x   3 root     unbound   512 Jan  8  2018 usr
                        drwxr-xr-x   3 root     unbound   512 Jan  8  2018 var
                        

                        You are using the console access, right .

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          @BEB-Consulting said in Netgate SG-1100 - 2.4.4-RELEASE-p3 - Unbound Won't start:

                          and 853 for SSL/TLS.

                          More than likely this was the root of your problem... If your going to want unbound to listen on 853, then you have to take the time to make sure the cert its going to use is valid, etc.

                          That is clearly not selected out of the box.. Why did you try and enable that? In what possible scenario would you want/need to serve local dns over tls? Do you have your unbound open to the public?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.