Certificate Manager does not report Unbound as using a certificate
If you enable SSL/TLS Service for local clients in Unbound you can select a certificate to use for that.
In the Certifcate Manager though Unbound is not shown as a user of that certificate like the webgui or OpenVPN would be for example.
It does not prevent you deleting that certificate and doing so then prevents Unbound starting:
Mar 15 12:34:27 php-fpm 372 /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was ' unbound[44823:0] error: error for cert file: /var/unbound/sslcert.crt  unbound[44823:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0909006C:PEM routines:get_name:no start line  unbound[44823:0] error: and additionally crypto error:140DC009:SSL routines:use_certificate_chain_file:PEM lib  unbound[44823:0] fatal error: could not set up listen SSL_CTX'
2.5.0-RELEASE (amd64) built on Tue Feb 16 08:56:29 EST 2021 FreeBSD 12.2-STABLE
Updated by Viktor Gurov 6 months ago
Updated by Pete Holzmann 5 months ago
Jim Pingle wrote:
Here's the real-world impact (for future understanding :) )
Not so critical we need to rush it into this release, but the next one, sure.
(I'm a reasonably experienced tech guy... only a few decades of Unix ;) )
- In the middle of my busy day, including some pfSense cleanup work...
- Looked like "at random" unbound was crashing... and then discovered it was crashing permanently
- Found the log file error: error in cert file
- Found /var/unbound -- cert files are there and empty
- Looked at resolver config: there IS an assigned cert. Wow, looks like a strange bug
- (Re)assigned certs and all was well. OK, now I am suspicious
- Pondering the issue I realized there is no link between unbound and cert management... and came here to (search for the bug before reporting ;) )
A great example of "undocumented side effect" :) :)
Maybe not critical for all... but critical for my users and my time. This bug slammed us offline, hard.