Bug #11678
closedCertificate Manager does not report Unbound as using a certificate
100%
Description
If you enable SSL/TLS Service for local clients in Unbound you can select a certificate to use for that.
In the Certifcate Manager though Unbound is not shown as a user of that certificate like the webgui or OpenVPN would be for example.
It does not prevent you deleting that certificate and doing so then prevents Unbound starting:
Mar 15 12:34:27 php-fpm 372 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1615811667] unbound[44823:0] error: error for cert file: /var/unbound/sslcert.crt [1615811667] unbound[44823:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0909006C:PEM routines:get_name:no start line [1615811667] unbound[44823:0] error: and additionally crypto error:140DC009:SSL routines:use_certificate_chain_file:PEM lib [1615811667] unbound[44823:0] fatal error: could not set up listen SSL_CTX'
Tested:
2.5.0-RELEASE (amd64) built on Tue Feb 16 08:56:29 EST 2021 FreeBSD 12.2-STABLE
Updated by Jim Pingle almost 4 years ago
- Target version changed from 2.5.1 to CE-Next
Not so critical we need to rush it into this release, but the next one, sure.
Updated by Viktor Gurov almost 4 years ago
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
- Target version changed from CE-Next to 2.6.0
PR has been merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- % Done changed from 0 to 100
Applied in changeset 39d83c73ce8b1b5d99540ccfc6734b3ad4d23107.
Updated by Pete Holzmann over 3 years ago
Jim Pingle wrote:
Here's the real-world impact (for future understanding :) )Not so critical we need to rush it into this release, but the next one, sure.
(I'm a reasonably experienced tech guy... only a few decades of Unix ;) )
- In the middle of my busy day, including some pfSense cleanup work...
- Looked like "at random" unbound was crashing... and then discovered it was crashing permanently
- Found the log file error: error in cert file
- Found /var/unbound -- cert files are there and empty
- Looked at resolver config: there IS an assigned cert. Wow, looks like a strange bug
- (Re)assigned certs and all was well. OK, now I am suspicious
- Pondering the issue I realized there is no link between unbound and cert management... and came here to (search for the bug before reporting ;) )
A great example of "undocumented side effect" :) :)
Maybe not critical for all... but critical for my users and my time. This bug slammed us offline, hard.
Updated by Danilo Zrenjanin over 3 years ago
Tested on the latest Development version.
It still doesn't show Unbound as a user of the certificate. I was able to delete the certificate without issues. Please check again.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Resolved
It works. It shows as in use when the certificate is active ("Enable SSL/TLS Service" checked), and it doesn't show in use when that is unset.
Updated by Jim Pingle over 3 years ago
- Plus Target Version set to 21.05
Already present on 21.05 builds.
Updated by Jim Pingle over 3 years ago
- Subject changed from Certificate Manger does not reflect Unbound as a cert user to Certificate Manger does not report Unbound as using a certificate
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Updated by Pete Holzmann over 3 years ago
Jim Pingle wrote:
Updating subject for release notes.
BTW, all this time the subject has a typo: Manger -> Manager :-D
I didn't see it myself until just now...
Updated by Jim Pingle over 3 years ago
- Subject changed from Certificate Manger does not report Unbound as using a certificate to Certificate Manager does not report Unbound as using a certificate
Slipped by me, too. And spell check, since it's technically a valid word.
Thanks!