• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solved openssl error

ProServ

Member

Thanks: 1
Messages: 76

#1
Hi, trying to reload unbound and getting openssl errror
Code:
# unbound-control -c /usr/local/etc/unbound/unbound.conf restart
error: SSL handshake failed
34388867800:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Any idea on how to fix this?
Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#2

ProServ

Member

Thanks: 1
Messages: 76

#3
10.3-RELEASE-p20 FreeBSD 10.3-RELEASE-p20 #0: Wed Jul 12 03:13:07 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64

Code:
# portupgrade ca_root_nss
--->  Installing the new version via the port
===>  Installing for ca_root_nss-3.32.1
===>   Registering installation for ca_root_nss-3.32.1 as automatic
Installing ca_root_nss-3.32.1...

===>  Cleaning for ca_root_nss-3.32.1
--->  Cleaning out obsolete shared libraries
Code:
# unbound-control -c /usr/local/etc/unbound/unbound.conf reload
error: SSL handshake failed
34388867800:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#4
Did you perhaps use a self-signed certificate?
 

ProServ

Member

Thanks: 1
Messages: 76

#5
Didn't install any cert. Just ran the portupgrade. Was under the impression running
portupgrade ca_root_nss installs or updates the base system cert.
If I have to install a cert, where does this cert have to be placed? Can I use a self-signed cert?
Thanks Sir Dice
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#6
I don't use unbound myself so it's a little difficult to diagnose as I have no idea how to configure it. But judging by the error (and the fact you built it from ports), did you perhaps enable DNSCRYPT? I can imagine that requires some setting up and a certificate. I'm pretty sure it's explained in the documentation.
 

ProServ

Member

Thanks: 1
Messages: 76

#7
Hi SirDice, as usual you are dead on. In unbound.conf uncommented the following:
Code:
 # unbound server key file.
        server-key-file: "/usr/local/etc/unbound/unbound_server.key"

        # unbound server certificate file.
         server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"

        # unbound-control key file.
        control-key-file: "/usr/local/etc/unbound/unbound_control.key"

        # unbound-control certificate file.
         control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

# unbound-control -c /usr/local/etc/unbound/unbound.conf reload
ok

Thank you again SirDice!