Project

General

Profile

Bug #11678

Certificate Manger does not report Unbound as using a certificate

Added by Steve Wheeler about 2 months ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
03/15/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

If you enable SSL/TLS Service for local clients in Unbound you can select a certificate to use for that.

In the Certifcate Manager though Unbound is not shown as a user of that certificate like the webgui or OpenVPN would be for example.

It does not prevent you deleting that certificate and doing so then prevents Unbound starting:

Mar 15 12:34:27     php-fpm     372     /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1615811667] unbound[44823:0] error: error for cert file: /var/unbound/sslcert.crt [1615811667] unbound[44823:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0909006C:PEM routines:get_name:no start line [1615811667] unbound[44823:0] error: and additionally crypto error:140DC009:SSL routines:use_certificate_chain_file:PEM lib [1615811667] unbound[44823:0] fatal error: could not set up listen SSL_CTX' 

Tested:

2.5.0-RELEASE (amd64)
built on Tue Feb 16 08:56:29 EST 2021
FreeBSD 12.2-STABLE

Associated revisions

Revision 39d83c73 (diff)
Added by Viktor Gurov about 1 month ago

Show Unbound used certificate on the Certificate Manager page. Fixes #11678

History

#1 Updated by Jim Pingle about 2 months ago

  • Target version changed from 2.5.1 to CE-Next

Not so critical we need to rush it into this release, but the next one, sure.

#3 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

#4 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov
  • Target version changed from CE-Next to 2.6.0

PR has been merged. Thanks!

#5 Updated by Viktor Gurov about 1 month ago

  • % Done changed from 0 to 100

#6 Updated by Pete Holzmann 23 days ago

Jim Pingle wrote:

Not so critical we need to rush it into this release, but the next one, sure.

Here's the real-world impact (for future understanding :) )
(I'm a reasonably experienced tech guy... only a few decades of Unix ;) )
  • In the middle of my busy day, including some pfSense cleanup work...
  • Looked like "at random" unbound was crashing... and then discovered it was crashing permanently
  • Found the log file error: error in cert file
  • Found /var/unbound -- cert files are there and empty
  • Looked at resolver config: there IS an assigned cert. Wow, looks like a strange bug
  • (Re)assigned certs and all was well. OK, now I am suspicious
  • Pondering the issue I realized there is no link between unbound and cert management... and came here to (search for the bug before reporting ;) )

A great example of "undocumented side effect" :) :)

Maybe not critical for all... but critical for my users and my time. This bug slammed us offline, hard.

#7 Updated by Danilo Zrenjanin 19 days ago

Tested on the latest Development version.

It still doesn't show Unbound as a user of the certificate. I was able to delete the certificate without issues. Please check again.

#8 Updated by Jim Pingle 17 days ago

  • Status changed from Feedback to Resolved

It works. It shows as in use when the certificate is active ("Enable SSL/TLS Service" checked), and it doesn't show in use when that is unset.

#9 Updated by Jim Pingle 2 days ago

  • Plus Target Version set to 21.05

Already present on 21.05 builds.

#10 Updated by Jim Pingle 1 day ago

  • Subject changed from Certificate Manger does not reflect Unbound as a cert user to Certificate Manger does not report Unbound as using a certificate

Updating subject for release notes.

Also available in: Atom PDF