Hello,
I cloned the GitHub repo and compiled Unbound 1.9.2 on a Raspberry Pi.
It is working perfectly as before upgrading from 1.6.0.
However, I was hoping to use a TLS certificate for DoT.
When I uncomment out the following line in /etc/unbound/unbound.conf.d/pi-hole.conf everything stops working (no DNS resolution):
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”
Can someone suggest what I might need to do to fix this?
Many thanks,
RoC
Check certificate bundle is exist on assumed path. When it not found,
DoT silently not working.
02.04.2019 08:49, rollingonchrome via Unbound-users пишет:
Hello,
Thank you for the replies. I believe I have the tls-cert-bundle information correctly indented now. But, I am still getting the same errors as before about unknown keywords and strays.
It is indented like this:
server:
[a few lines omitted]
#Added for DoT
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”
Here is a link to my actual conf file if anyone would be willing to take a look:
https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBg
I’ve read that OpenSSL on Jessie doesn’t support any TLS except 1.2, so I’m wondering if that might be this issue. Not sure what version of TLS Unbound 1.9.1 uses (I downgraded).
Thank you for your help.
Best,
RoC
03.04.2019 23:52, rollingonchrome via Unbound-users пишет:
Hello,
Thank you for the replies. I believe I have the tls-cert-bundle information correctly indented now. But, I am still getting the same errors as before about unknown keywords and strays.
It is indented like this:
server:
[a few lines omitted]
#Added for DoT
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”
Here is a link to my actual conf file if anyone would be willing to take a look:
https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBgI’ve read that OpenSSL on Jessie doesn’t support any TLS except 1.2, so I’m wondering if that might be this issue. Not sure what version of TLS Unbound 1.9.1 uses (I downgraded).
If this is really the case - I’ll say that it’s very bad when somebody’s know a lot 
I’m talking about strange distribution developers who have no idea about such a thing as a fallback.
Hi,
So this config file is fine, the tls-cert-bundle should work find with a
version of unbound that supports the options (eg. 1.9.2). Like, for me,
it works. I guess you downgraded and are now using an older version
that does not support the tls-cert-bundle option, so the unknown keyword
error is accurate?
Best regards, Wouter
Wouter Wijngaards via Unbound-users:
So this config file is fine, the tls-cert-bundle should work find with a
version of unbound that supports the options (eg. 1.9.2). Like, for me,
it works. I guess you downgraded and are now using an older version
that does not support the tls-cert-bundle option, so the unknown keyword
error is accurate?
off-Topic:
for this reason I like the postfix documentation.
Search for "This feature is available in" in Postfix Configuration Parameters
Andreas
Hi Wouter,
Thank you for taking a look at my config file.
Sorry for any confusion. I am running Unbound 1.9.1. That should support the tls-cert-bundle option, correct?
I had initially tried my config file with 1.9.2, but at Yuri’s suggestion, I downgraded to the latest stable version, 1.9.1.
The tls-cert-bundle option did not work with either 1.9.2 or 1.9.1.
I am running Unbound compiled from source on a Raspberry Pi (Raspbian Jessie).
I now think the problem may be in the OpenSSL version on Raspbian, which only supports TLS 1.2.
Thank you for your help.
Best,
RoC
Wouter Wijngaards wouter at nlnetlabs.nl
Thu Apr 4 09:04:46 CEST 2019
Hi,
So this config file is fine, the tls-cert-bundle should work find with a
version of unbound that supports the options (eg. 1.9.2). Like, for me,
it works. I guess you downgraded and are now using an older version
that does not support the tls-cert-bundle option, so the unknown keyword
error is accurate?
Best regards, Wouter
On 4/3/19 7:52 PM, rollingonchrome via Unbound-users wrote:
><i> Hello,
</i>> ><i> Thank you for the replies. I believe I have the tls-cert-bundle
</i>><i> information correctly indented now. But, I am still getting the same
</i>><i> errors as before about unknown keywords and strays.
</i>> ><i> It is indented like this:
</i>> ><i> server:
</i>><i>
</i>><i> [a few lines omitted]
</i>><i>
</i>><i> #Added for DoT
</i>><i> tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
</i>> ><i> Here is a link to my actual conf file if anyone would be willing to take
</i>><i> a look:
</i>><i> [https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBg](https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBg)
</i>> ><i> I've read that OpenSSL on Jessie doesn't support any TLS except 1.2, so
</i>><i> I'm wondering if that might be this issue. Not sure what version of TLS
</i>><i> Unbound 1.9.1 uses (I downgraded).
</i>> ><i> Thank you for your help.
</i>> ><i> Best,
</i>> > *RoC*
04.04.2019 23:35, rollingonchrome via Unbound-users пишет:
Hi Wouter,
Thank you for taking a look at my config file.
Sorry for any confusion. I am running Unbound 1.9.1. That should
support the tls-cert-bundle option, correct?I had initially tried my config file with 1.9.2, but at Yuri's
suggestion, I downgraded to the latest stable version, 1.9.1.The tls-cert-bundle option did not work with either 1.9.2 or 1.9.1.
I am running Unbound compiled from source on a Raspberry Pi (Raspbian
Jessie).I now think the problem may be in the OpenSSL version on Raspbian,
which only supports TLS 1.2.
Assume that it is. However, as I know, support for TLS is a function of
the openssl library. Who prevents to build the version with the
necessary protocol (for example, openssl 1.0.2o) and re-build Unbound
with it?
But in this hypothesis (with TLS 1.2) I am personally prevented from believing the abuse on the syntax of the configuration file. I strongly suspect that binary files are not completely updated.
Correct version should eat config file (in case of TLS 1.2, in suggestion) and blame to connections, not to config keywords.
Logically?
Yuri,
That is a good idea. I will look into downgrading OpenSSL and rebuilding Unbound.
In the meantime, I may run Unbound on a spare Windows box and see if I can get it working with all the features.
Thank you,
RoC
Yuri yvoinov at gmail.com
Thu Apr 4 19:44:37 CEST 2019
Let’s check binaries.
Found and check unbound libraries. 1.9.1 should have:
lrwxrwxrwx 1 root root 19 Mar 12 22:54 libunbound.so → libunbound.so.8.1.1
lrwxrwxrwx 1 root root 20 Jun 21 2018 libunbound.so.2 → libunbound.so.2.5.11
-rwxr-xr-x 1 root root 1090048 Jun 21 2018 libunbound.so.2.5.11
lrwxrwxrwx 1 root root 19 Mar 12 22:54 libunbound.so.8 → libunbound.so.8.1.1
-rwxr-xr-x 1 root root 1149416 Mar 12 22:54 libunbound.so.8.1.1
such versions.
Then, let’s check main unbound binary version:
[1554400443] unbound[28945:0] notice: Start of unbound 1.9.1.
Apr 04 23:54:03 unbound[28945:0] error: can’t bind socket: Address already in use for 0.0.0.0 port 53
Apr 04 23:54:03 unbound[28945:0] fatal error: could not open ports
Is it true your side?
Hi Yuri,
I apologize, but I’m not sure how to do what you’re suggesting.
I will try to figure it out. If you can let me know a specific command or commands, or where to look and what I’m looking for, I will try to do it.
Thank you for all your help.
Best,
RoC
Ah, that’s easy.
find / -name libunbound.so -exec ls -al {} ;
which unbound -v
and show output.
PS. Pay attention - second command ` symbol is gravis, not '.
Thank you, Yuri.
I pasted in your commands and got this error.
pi@raspberrypi_pi-hole:~ $ find / -name libunbound.so -exec ls -al {}
find: missing argument to `-exec’
Try ‘find --help’ for more information.
pi@raspberrypi_pi-hole:~ $
Thank you for your help.
Best,
RoC
Yuri yvoinov at gmail.com
Thu Apr 4 20:46:38 CEST 2019
05.04.2019 00:56, rollingonchrome via Unbound-users пишет:
Thank you, Yuri.
I pasted in your commands and got this error.
pi@raspberrypi_pi-hole:~ $ find / -name libunbound.so -exec ls -al {}
Correct command is: *find / -name libunbound.so -exec ls -al {} \;
Thank you, Yuri.
Here is the output of the find command:
lrwxrwxrwx 1 root staff 19 Apr 2 14:48 /usr/local/lib/libunbound.so → libunbound.so.8.1.1
Here is the output of unbound -v or which unbound -v
pi@raspberrypi_pi-hole:~ $ unbound -v
[1554406887] unbound[1625:0] notice: Start of unbound 1.9.1.
[1554406887] unbound[1625:0] error: can’t bind socket: Permission denied for ::1 port 53
[1554406887] unbound[1625:0] fatal error: could not open ports
Hm. Seems binary is ok.
So, remains last resort. Re-build Unbound with downgraded openssl…
Thanks, Yuri.
I will do some research on which OpenSSL version to downgrade to and go from there.
Wondering if I could also build the latest OpenSSL from source to get better TLS support.
Thank again for all your help.
Best,
RoC
Yuri yvoinov at gmail.com
Thu Apr 4 21:48:52 CEST 2019
