unbound SSL_CTX errors after upgrade

nforced

Member

Reaction score: 10
Messages: 87

I just upgraded from 10.2-RELEASE to 10.3-RELEASE and after the second reboot I saw this:
Code:
Starting local_unbound.
Waiting for nameserver to start...[1459794274] unbound-control[483:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794275] unbound-control[486:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794276] unbound-control[489:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794277] unbound-control[492:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794278] unbound-control[495:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
giving up
Does anyone know why did this happened and how to solve it?
 

cpm@

Moderator
Staff member
Moderator
Developer

Reaction score: 951
Messages: 2,140

Have you added the following at the end of the config file?
Code:
control-enable: yes
Read unbound.conf(5) man page for further details.
 
OP
nforced

nforced

Member

Reaction score: 10
Messages: 87

No, I didn't had that, but when I add it I get:
Code:
#service local_unbound restart
local_unbound not running? (check /var/run/local_unbound.pid).
Starting local_unbound.
/var/unbound/unbound.conf:5: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file
[1459796363] unbound[1404:0] fatal error: Could not read config file: /var/unbound/unbound.conf
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
Without "control-enable: yes" I get the initial errors.
Anyway I wonder is this for PR or it's something on my side that needs to be done. Overall I don't think this should have happened at first place without a reason.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,214
Messages: 11,432

Code:
remote-control:
       control-enable: no
Setting this in unbound.conf should not produce these weird messages, because Unbound works fine after spewing them, and setting it to no already tells Unbound to not initialise SSL/TLS. Those errors are not a good thing.
Code:
error: Error setting up SSL_CTX client key and cert
That is really baloney, and unnecessarily alarmist.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,214
Messages: 11,432

No, I didn't had that, but when I add it I get:
Code:
#service local_unbound restart
local_unbound not running? (check /var/run/local_unbound.pid).
Starting local_unbound.
/var/unbound/unbound.conf:5: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file
[1459796363] unbound[1404:0] fatal error: Could not read config file: /var/unbound/unbound.conf
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
Without "control-enable: yes" I get the initial errors.
Anyway I wonder is this for PR or it's something on my side that needs to be done. Overall I don't think this should have happened at first place without a reason.

You need the category, see above. But that's the same as leaving it out entirely, because the default is already no. The screenfull of errors is not appreciated, by me anyway.
 

cpm@

Moderator
Staff member
Moderator
Developer

Reaction score: 951
Messages: 2,140

Put this line in the correct place:
Code:
remote-control:
       control-enable: yes

PS. DutchDaemon replied first :cool:
 
OP
nforced

nforced

Member

Reaction score: 10
Messages: 87

Ok did this what you have advised, I put
Code:
remote-control:
    control-enable: yes
at the bottom of /etc/unbound/unbound.conf

and then I here's what happening:
Code:
service local_unbound start
Starting local_unbound.
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
/var/log/messages
Code:
Apr  4 22:13:56 beast unbound: [1600:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Apr  4 22:13:56 beast unbound: [1600:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:02001002:system library:fopen:No such file or directory
Apr  4 22:13:56 beast unbound: [1600:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Apr  4 22:13:56 beast unbound: [1600:0] error: and additionally crypto error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Apr  4 22:13:56 beast unbound: [1600:0] fatal error: could not set up remote-control
Apr  4 22:13:56 beast booster: /etc/rc.d/local_unbound: WARNING: failed to start local_unbound
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,214
Messages: 11,432

Of course, if you set it to yes you will have to set it up entirely, with the certificates and keys and everything. Very few people will actually need remote control of their resolvers. So set it to no (or remove it) and just swallow the horrible errors (for now).
 
OP
nforced

nforced

Member

Reaction score: 10
Messages: 87

Of course, if you set it to yes you will have to set it up entirely, with the certificates and keys and everything.
Ok, I don't want this since I never had it and I really don't need it. So I removed that and got the initial warnings again, it's good that it works that way but still sad to see this output with control-enable: no so I wonder should I submit a PR on this or just leave it like that till someone fix it for some other reason?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,214
Messages: 11,432

I'm sure PRs will be lodged almost instantly, but it doesn't hurt.
 

cpm@

Moderator
Staff member
Moderator
Developer

Reaction score: 951
Messages: 2,140

Right, I just did that https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208529 let's see what will happen :)

You should set up unbound-control correctly. From the unbound-control (8) man page:
SET UP
The setup requires a self-signed certificate and private keys for both
the server and client. The script unbound-control-setup generates
these in the default run directory, or with -d in another directory.
If you change the access control permissions on the key files you can
decide who can use unbound-control, by default owner and group but not
all users. Run the script under the same username as you have config-
ured in unbound.conf or as root, so that the daemon is permitted to
read the files, for example with:
sudo -u unbound unbound-control-setup​
If you have not configured a username in unbound.conf, the keys need
read permission for the user credentials under which the daemon is
started. The script preserves private keys present in the directory.
After running the script as root, turn on control-enable in
unbound.conf.​
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,214
Messages: 11,432

Setting it to no should never produce these errors, that is the point of the bug report.
 

cpm@

Moderator
Staff member
Moderator
Developer

Reaction score: 951
Messages: 2,140

But you should install dns/unbound because the base system doesn't contain unbound-control-setup.

Thanks for clarifying this.

nforced: Consider to install dns/unbound port. You'll have unbound updated more frequently over what's in FreeBSD base because the port maintainer has to deal with less things than the OS team.
 

obsigna

Daemon

Reaction score: 899
Messages: 1,295

Only today, I saw this also on my server, that I updated recently from RELEASE-10.2 to -10.3

I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound. Said sub-routine has been newly introduced with RELEASE-10.3 in order to:
/etc/rc.d/local_unbound said:
#
# After starting, wait for Unbound to report that it is ready to avoid
# race conditions with services which require functioning DNS.
#

And for checking the online status of Unbound, somebody got the particularly bright idea to utilize the remote control tool unbound-control, which is disabled by default, and not properly setup on most machines, and in order to add insult to the injury, local_unbound_poststart() tries it 5 times before giving up.

In my file /etc/rc.d/local_unbound I commented out the body of local_unbound_poststart():
Code:
#
# After starting, wait for Unbound to report that it is ready to avoid
# race conditions with services which require functioning DNS.
#
local_unbound_poststart()
{
#    local retry=5
#
#    echo -n "Waiting for nameserver to start..."
#    until "${command}-control" status | grep -q "is running" ; do
#        if [ $((retry -= 1)) -eq 0 ] ; then
#            echo " giving up"
#            return 1
#        fi
#        echo -n "."
#        sleep 1
#    done
#    echo " good"
}
This solved the problem for me. I am using Unbound since 2 years, and I never saw any race conditions, anyway. If we really need to check whether unbound is running, why not simply run drill localhost @127.0.0.1, or something similar along this line. The additional benefit of this would be, that the timing out feature is built-in to the drill(1) command.
 
OP
nforced

nforced

Member

Reaction score: 10
Messages: 87

Hmm, this is what I did today
Code:
root@beast:~ > portmaster dns/unbound
root@beast:~ > unbound-control-setup
setup in directory /usr/local/etc/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
...................++
.................................................................................................................................................................++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
.............++
..........++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
root@beast:~ > /etc/rc.d/local
local*  local_unbound* localpkg*
root@beast:~ > /etc/rc.d/local
local*  local_unbound* localpkg*
root@beast:~ > /etc/rc.d/local_unbound restart
Stopping local_unbound.
Waiting for PIDS: 504.
Starting local_unbound.
Waiting for nameserver to start...[1460028235] unbound-control[1359:0] warning: control-enable is 'no' in the config file.
Same thing.
 

kpa

Beastie's Twin

Reaction score: 1,848
Messages: 6,318

You can't mix local_unbound service and dns/unbound, they use totally different locations for binaries and configuration files. Assuming you want to have the control ability use the port only.
 
OP
nforced

nforced

Member

Reaction score: 10
Messages: 87

Crap. OK since this doesn't fix the problem for me I am removing it.
 

cpm@

Moderator
Staff member
Moderator
Developer

Reaction score: 951
Messages: 2,140

You can disable local_unbound service from base.

According to the man src.conf(5) there is an option called WITHOUT_UNBOUND, when it's set, will cause the unbound is not installed. Then set
Code:
WITHOUT_UNBOUND=yes
in /etc/src.conf is the first step to prevent it from being reinstalled in an update.

After the parameter is in place, if you go to /usr/src and run make check-old
Code:
Checking for old files
/etc/rc.d/local_unbound
/etc/unbound
/usr/sbin/local-unbound-setup
/usr/sbin/unbound
/usr/sbin/unbound-anchor
/usr/sbin/unbound-checkconf
/usr/sbin/unbound-control
/usr/sbin/unbound-control-setup
/usr/share/man/man5/unbound.conf.5.gz
/usr/share/man/man8/unbound-anchor.8.gz
/usr/share/man/man8/unbound-checkconf.8.gz
/usr/share/man/man8/unbound-control.8.gz
/usr/share/man/man8/unbound.8.gz
Checking for old libraries
/usr/lib/private/libunbound.so.5
/usr/lib32/private/libunbound.so.5
Checking for old directories
To remove old files and directories run 'make delete-old'.
To remove old libraries run 'make delete-old-libs'.

The files currently installed from unbound already enter the obsolete list, and can be removed to make delete-old and make delete-old-libs
 
OP
nforced

nforced

Member

Reaction score: 10
Messages: 87

Thanks cpm, I don't want to disable this service, I use it for my own needs I just want to have it running like I aways used to. I know disabling it will solve the problem, but thats not my point.
 

cpm@

Moderator
Staff member
Moderator
Developer

Reaction score: 951
Messages: 2,140

Of course, it all depends on your intentions. In the meantime, you can use dns/unbound.
 

obsigna

Daemon

Reaction score: 899
Messages: 1,295

I have tried this, same problem there...
I guess you misunderstood the suggestion. Installing dns/unbound is not sufficient. You need to tell your system to use it instead of local_unbound from the base system. To begin with, you would need to copy the settings from /etc/unbound/unbound.conf (the base location) to /usr/local/etc/unbound/unbound.conf, i.e. the settings location of the Unbound port. In addition, the start command is of course not
Code:
local_unbound_enable="YES"
but simply
Code:
unbound_enable="YES"
There is no need to remove local_unbound, only make sure, you don't activate it in file /etc/rc.conf.

Anyway, installing dns/unbound and transferring all the settings, is IMHO much more hassle than simply deactivating the culprit local_unbound_poststart() subroutine in /etc/rc.d/local_unbound. I added a comment on your PR 208529 on this.
 

LiSergey

Member

Reaction score: 2
Messages: 21

I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound.

In my file /etc/rc.d/local_unbound I commented out the body of local_unbound_poststart():
Code:
#
# After starting, wait for Unbound to report that it is ready to avoid
# race conditions with services which require functioning DNS.
#
local_unbound_poststart()
{
#    local retry=5
#
#    echo -n "Waiting for nameserver to start..."
#    until "${command}-control" status | grep -q "is running" ; do
#        if [ $((retry -= 1)) -eq 0 ] ; then
#            echo " giving up"
#            return 1
#        fi
#        echo -n "."
#        sleep 1
#    done
#    echo " good"
}
This solved the problem for me. I am using Unbound since 2 years, and I never saw any race conditions, anyway. If we really need to check whether unbound is running, why not simply run drill localhost @127.0.0.1, or something similar along this line. The additional benefit of this would be, that the timing out feature is built-in to the drill(1) command.

Thanks, that helped me.
I prefer to use bundled unbound on lower-load servers to pay less attention for updates, while install dns/unbound on busy servers with more options available for high load.

Also, in default config /etc/unbound/unbound.conf.sample it is chroot enabled by default, with mismatched pid-file location, by default inside in config and outside in /etc/rc.d/local_unbound script

diff:
Code:
- # pidfile: "/etc/unbound/unbound.pid"
+pidfile: "/var/run/local_unbound.pid"
 
Top