Bug #11678
closed
Certificate Manager does not report Unbound as using a certificate
Added by Steve Wheeler over 3 years ago.
Updated over 3 years ago.
Plus Target Version:
21.05
Affected Architecture:
All
Description
If you enable SSL/TLS Service for local clients in Unbound you can select a certificate to use for that.
In the Certifcate Manager though Unbound is not shown as a user of that certificate like the webgui or OpenVPN would be for example.
It does not prevent you deleting that certificate and doing so then prevents Unbound starting:
Mar 15 12:34:27 php-fpm 372 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1615811667] unbound[44823:0] error: error for cert file: /var/unbound/sslcert.crt [1615811667] unbound[44823:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0909006C:PEM routines:get_name:no start line [1615811667] unbound[44823:0] error: and additionally crypto error:140DC009:SSL routines:use_certificate_chain_file:PEM lib [1615811667] unbound[44823:0] fatal error: could not set up listen SSL_CTX'
Tested:
2.5.0-RELEASE (amd64)
built on Tue Feb 16 08:56:29 EST 2021
FreeBSD 12.2-STABLE
- Target version changed from 2.5.1 to CE-Next
Not so critical we need to rush it into this release, but the next one, sure.
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
- Target version changed from CE-Next to 2.6.0
PR has been merged. Thanks!
- % Done changed from 0 to 100
Jim Pingle wrote:
Not so critical we need to rush it into this release, but the next one, sure.
Here's the real-world impact (for future understanding :) )
(I'm a reasonably experienced tech guy... only a few decades of Unix ;) )
- In the middle of my busy day, including some pfSense cleanup work...
- Looked like "at random" unbound was crashing... and then discovered it was crashing permanently
- Found the log file error: error in cert file
- Found /var/unbound -- cert files are there and empty
- Looked at resolver config: there IS an assigned cert. Wow, looks like a strange bug
- (Re)assigned certs and all was well. OK, now I am suspicious
- Pondering the issue I realized there is no link between unbound and cert management... and came here to (search for the bug before reporting ;) )
A great example of "undocumented side effect" :) :)
Maybe not critical for all... but critical for my users and my time. This bug slammed us offline, hard.
Tested on the latest Development version.
It still doesn't show Unbound as a user of the certificate. I was able to delete the certificate without issues. Please check again.
- Status changed from Feedback to Resolved
It works. It shows as in use when the certificate is active ("Enable SSL/TLS Service" checked), and it doesn't show in use when that is unset.
- Plus Target Version set to 21.05
Already present on 21.05 builds.
- Subject changed from Certificate Manger does not reflect Unbound as a cert user to Certificate Manger does not report Unbound as using a certificate
Updating subject for release notes.
- Target version changed from 2.6.0 to 2.5.2
Jim Pingle wrote:
Updating subject for release notes.
BTW, all this time the subject has a typo: Manger -> Manager :-D
I didn't see it myself until just now...
- Subject changed from Certificate Manger does not report Unbound as using a certificate to Certificate Manager does not report Unbound as using a certificate
Slipped by me, too. And spell check, since it's technically a valid word.
Thanks!
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by