Project

General

Profile

Actions

Bug #11678

closed

Certificate Manager does not report Unbound as using a certificate

Added by Steve Wheeler over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Certificates
Target version:
Start date:
03/15/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

If you enable SSL/TLS Service for local clients in Unbound you can select a certificate to use for that.

In the Certifcate Manager though Unbound is not shown as a user of that certificate like the webgui or OpenVPN would be for example.

It does not prevent you deleting that certificate and doing so then prevents Unbound starting:

Mar 15 12:34:27     php-fpm     372     /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1615811667] unbound[44823:0] error: error for cert file: /var/unbound/sslcert.crt [1615811667] unbound[44823:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0909006C:PEM routines:get_name:no start line [1615811667] unbound[44823:0] error: and additionally crypto error:140DC009:SSL routines:use_certificate_chain_file:PEM lib [1615811667] unbound[44823:0] fatal error: could not set up listen SSL_CTX' 

Tested:

2.5.0-RELEASE (amd64)
built on Tue Feb 16 08:56:29 EST 2021
FreeBSD 12.2-STABLE

Actions #1

Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.5.1 to CE-Next

Not so critical we need to rush it into this release, but the next one, sure.

Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov
  • Target version changed from CE-Next to 2.6.0

PR has been merged. Thanks!

Actions #5

Updated by Viktor Gurov over 3 years ago

  • % Done changed from 0 to 100
Actions #6

Updated by Pete Holzmann over 3 years ago

Jim Pingle wrote:

Not so critical we need to rush it into this release, but the next one, sure.

Here's the real-world impact (for future understanding :) )
(I'm a reasonably experienced tech guy... only a few decades of Unix ;) )
  • In the middle of my busy day, including some pfSense cleanup work...
  • Looked like "at random" unbound was crashing... and then discovered it was crashing permanently
  • Found the log file error: error in cert file
  • Found /var/unbound -- cert files are there and empty
  • Looked at resolver config: there IS an assigned cert. Wow, looks like a strange bug
  • (Re)assigned certs and all was well. OK, now I am suspicious
  • Pondering the issue I realized there is no link between unbound and cert management... and came here to (search for the bug before reporting ;) )

A great example of "undocumented side effect" :) :)

Maybe not critical for all... but critical for my users and my time. This bug slammed us offline, hard.

Actions #7

Updated by Danilo Zrenjanin over 3 years ago

Tested on the latest Development version.

It still doesn't show Unbound as a user of the certificate. I was able to delete the certificate without issues. Please check again.

Actions #8

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

It works. It shows as in use when the certificate is active ("Enable SSL/TLS Service" checked), and it doesn't show in use when that is unset.

Actions #9

Updated by Jim Pingle over 3 years ago

  • Plus Target Version set to 21.05

Already present on 21.05 builds.

Actions #10

Updated by Jim Pingle over 3 years ago

  • Subject changed from Certificate Manger does not reflect Unbound as a cert user to Certificate Manger does not report Unbound as using a certificate

Updating subject for release notes.

Actions #11

Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #12

Updated by Pete Holzmann over 3 years ago

Jim Pingle wrote:

Updating subject for release notes.

BTW, all this time the subject has a typo: Manger -> Manager :-D

I didn't see it myself until just now...

Actions #13

Updated by Jim Pingle over 3 years ago

  • Subject changed from Certificate Manger does not report Unbound as using a certificate to Certificate Manager does not report Unbound as using a certificate

Slipped by me, too. And spell check, since it's technically a valid word.

Thanks!

Actions

Also available in: Atom PDF