Unbound not starting

platta13

The last few days i have not been able to get the dns resolver to start. my config isn't too complex. Here is my config and the alert:

The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1693933801] unbound[95542:0] error: Error for server-key-file: /var/unbound/unbound_server.key [1693933801] unbound[95542:0] error: Error in SSL_CTX use_PrivateKey_file crypto error:02001002:system library:fopen:No such file or directory [1693933801] unbound[95542:0] error: and additionally crypto error:20074002:BIO routines:file_ctrl:system lib [1693933801] unbound[95542:0] error: and additionally crypto error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [1693933801] unbound[95542:0] fatal error: could not set up remote-control'

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-keep-probing: yes
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 1432
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: no
msg-cache-size: 50m
rrset-cache-size: 100m

num-threads: 16
msg-cache-slabs: 16
rrset-cache-slabs: 16
infra-cache-slabs: 16
key-cache-slabs: 16
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"

Interface IP addresses to bind to

interface: 192.168.1.1
interface: 192.168.254.1

Outgoing interfaces to be used

outgoing-interface: 201.191.29.49

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#Cloudflare-dns.com
forward-addr: 8.8.8.8@853#dns.google

Remote Control Config

include: /var/unbound/remotecontrol.conf

platta13

So as part of troubleshooting and looking at other posts. I rm both the key and cert. I should just need to recreate them.

Gertjan

@platta13 said in Unbound not starting:

I rm both the key and cert. I should just need to recreate them

Look here :

remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-port: 953
	server-key-file: "/var/unbound/unbound_server.key"
	server-cert-file: "/var/unbound/unbound_server.pem"
	control-key-file: "/var/unbound/unbound_control.key"
	control-cert-file: "/var/unbound/unbound_control.pem"

I thought they were re created on every restart ? Reboot ?
Guess not :

=> noop : 18/01/2023 wasn't the last time my unbound restarted
Dono what I was doing at January 18, 2023.

delete (rm) them most probably will re created them.

platta13

@Gertjan I have rebooted and restarted the dns resolver. It didn't recreate the cert and key. My remotecontrol.conf is identical to the one you posted too. any other recommendations?

Gertjan

@platta13 said in Unbound not starting:

It didn't recreate the cert and key

Ah ....
I'll check with the manual ..... ( the source ).

---

edit : I'm back.

When this entry is created :

a triple check is performed :
If the file /var/unbound/remotecontrol.conf exists
If the file /var/unbound/remotecontrol.conf isn't a zero byte file
If the file /var/unbound/unbound_control.key (nad not the other 3) exists

If any of these 3 fails, the certs are recreated.

If tested that :
I renamed the for files :

On the dashboard, I've stopped unbound.
5 seconds waiitng ...
I've started unbound :

I found :

Look at the four new files : the time stamp was from 5 minutes ago, they were all re generated.

Your pfSense version ?

platta13

@Gertjan I rebooted with a file system check and it did recreate the files this time. New error in logs:

/status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1694008408] unbound[61299:0] error: Error for server-key-file: /var/unbound/unbound_server.key [1694008408] unbound[61299:0] error: Error in SSL_CTX use_PrivateKey_file crypto error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [1694008408] unbound[61299:0] fatal error: could not set up remote-control'

So somehow it created a key and pem but they don't match?

Gertjan

@platta13
See above, I edited with more info.

From what I understand, it generated the files
" It" is actually
/usr/bin/su -m unbound -c '/usr/local/sbin/unbound-control-setup -d /var/unbond/'
which can be translated as :
Do as the unbound user 'unbound' :
execute "unbound-control-setup"
with destination folder /var/unbound/

So far, so good, the four certificate files where created.

Your issue :
The certificates created by unbound-control-setup are not understood by unbound ....

You're using 2.7.0 or 23.05.1, right ?

edit :
Please confirm that you wiped all four cert files - these four :

and that they are all four regenerated.

System time is ok ?

edit : file system check ? That's something from the past, for those who do not want to use ZFS.
True : ripping out the power - without a proper system shut down (like windows PCs, apple etc) command will destroy the file system eventually. But who does that these days ?

I'm using ZFS, as I have 23.05.1 and still I use an UPS. People tend to get nervous when the "Internet" goes down here.

platta13

@Gertjan Ok, all resolved. deleted all 4 files (unbound_control.pem/key and unbound_server.pem/key) and rebooted. All 4 files are created anew and service is up and running.

Thank you for the help on this. I believe I am all set.