Solved openssl error

Hi, trying to reload unbound and getting openssl errror
Code:
# unbound-control -c /usr/local/etc/unbound/unbound.conf restart
error: SSL handshake failed
34388867800:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Any idea on how to fix this?
Thanks.
 
10.3-RELEASE-p20 FreeBSD 10.3-RELEASE-p20 #0: Wed Jul 12 03:13:07 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64

Code:
# portupgrade ca_root_nss
--->  Installing the new version via the port
===>  Installing for ca_root_nss-3.32.1
===>   Registering installation for ca_root_nss-3.32.1 as automatic
Installing ca_root_nss-3.32.1...

===>  Cleaning for ca_root_nss-3.32.1
--->  Cleaning out obsolete shared libraries
Code:
# unbound-control -c /usr/local/etc/unbound/unbound.conf reload
error: SSL handshake failed
34388867800:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
 
Didn't install any cert. Just ran the portupgrade. Was under the impression running
portupgrade ca_root_nss installs or updates the base system cert.
If I have to install a cert, where does this cert have to be placed? Can I use a self-signed cert?
Thanks Sir Dice
 
I don't use unbound myself so it's a little difficult to diagnose as I have no idea how to configure it. But judging by the error (and the fact you built it from ports), did you perhaps enable DNSCRYPT? I can imagine that requires some setting up and a certificate. I'm pretty sure it's explained in the documentation.
 
Hi SirDice, as usual you are dead on. In unbound.conf uncommented the following:
Code:
 # unbound server key file.
        server-key-file: "/usr/local/etc/unbound/unbound_server.key"

        # unbound server certificate file.
         server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"

        # unbound-control key file.
        control-key-file: "/usr/local/etc/unbound/unbound_control.key"

        # unbound-control certificate file.
         control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

# unbound-control -c /usr/local/etc/unbound/unbound.conf reload
ok

Thank you again SirDice!
 
I know the subject is old, but I found the solution. The unconnected keys after the update are outdated, but even if you run unbound-control-setup they will not update properly, you should remove them, and then rerun the command:
rm /usr/local/etc/unbound/unbound_server.key
rm /usr/local/etc/unbound/unbound_server.pem
rm /usr/local/etc/unbound/unbound_control.key
rm /usr/local/etc/unbound/unbound_control.pem

Run to recreate them:
unbound-control-setup
 
Back
Top