Bug 208529
| Summary: | Error setting up SSL_CTX client key and cert and control-enable: no | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Nick <amp> | ||||
| Component: | conf | Assignee: | Dag-Erling Smørgrav <des> | ||||
| Status: | Open --- | ||||||
| Severity: | Affects Only Me | CC: | arved, blachste, cyclaero, des, dirkx, frans-jan, freebsd, gleb, jonas.bulow, mwestza, patrick.s.winslow, pete, uzsolt, xmj | ||||
| Priority: | --- | ||||||
| Version: | 10.3-RELEASE | ||||||
| Hardware: | amd64 | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
*** Bug 208555 has been marked as a duplicate of this bug. *** I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound. Said sub-routine has been newly introduced with RELEASE-10.3.
For checking the online status of Unbound the remote control tool unbound-control is utilized, which is disabled by default, and not properly setup on most machines.
In my file /etc/rc.d/local_unbound I commented out he body of local_unbound_poststart():
Code:
#
# After starting, wait for Unbound to report that it is ready to avoid
# race conditions with services which require functioning DNS.
#
local_unbound_poststart()
{
# local retry=5
#
# echo -n "Waiting for nameserver to start..."
# until "${command}-control" status | grep -q "is running" ; do
# if [ $((retry -= 1)) -eq 0 ] ; then
# echo " giving up"
# return 1
# fi
# echo -n "."
# sleep 1
# done
# echo " good"
}
This solved the problem for me. I am using Unbound since 2 years, and I never saw any race conditions, anyway. If we really need to check whether Unbound is running, why not simply run `drill localhost @127.0.0.1`, or something similar along this line. The additional benefit of this would be, that the timing out feature is built-in to the drill command.
Created attachment 170744 [details]
Suggested patch
See attached suggested patch.
Assuming people use unbound-control with local_unbound is a bit of a stretch, especially since unbound-control-setup isn't even bundled. This patch tests the functionality of the local resolver, which is just as good or even better than querying the state. It assumes that local_unbound is configured to run on IPv4 localhost and that the .com zone is not somehow disabled or inaccessible. These assumptions are *way* smaller than assuming unbound-control works. Besides that, failure is less "messy" to look at.
This is still an issue in 11.0-BETA3. It's very annoying having DNS broken by default. Bug still present in 11-RC1. Would be great if the patch could be applied, as this false error spam is just annoying and distracting. Bug still present in 11.0-RELEASE-p2. The patch is five months old. It does no harm. Please apply it. Bug still present in 11.0-RELEASE-p2^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H11.0-RELEASE-p5. The patch is five months old^H^H^H^H^H^H^H^H^H^H^H^H^H^H^Hsix months and eleven days old. It does no harm. Please apply it. (In reply to Patrick Winslow from comment #7) As creator of the patch, is there anything I can do to help get this sorted? (In reply to Frans-Jan van Steenbeek from comment #8) Thank you for the patch. I applied it to my systems manually. I'm just concerned this bug will persist for months or years. The scary error messages are surely causing a lot of people to waste time searching for information. FWII: Patch applies cleanly (and is needed!) on a 10.2->11.0 release update. Still an issue in 12.0-CURRENT with local_unbound enabled as services to start in bsdinstall. User and / or configuration error. Please run `service local_unbound setup` to correct and refrain from manual configuration changes. Reopening, this problem persists - On an almost fresh 12.0-CURRENT install: root@test:~ # service local_unbound setup Performing initial setup. Extracting forwarders from /etc/resolv.conf. /var/unbound/forward.conf not modified /var/unbound/lan-zones.conf not modified /var/unbound/control.conf not modified /var/unbound/unbound.conf not modified original /etc/resolvconf.conf saved as /etc/resolvconf.conf.20170615.122208 original /etc/resolv.conf saved as /etc/resolv.conf.20170615.122208 root@test:~ # service local_unbound start Starting local_unbound. Waiting for nameserver to start...error: SSL handshake failed .[1497529349] unbound-control[43421:0] error: connect: Connection refused for (inet_ntop error) .[1497529350] unbound-control[44597:0] error: connect: Connection refused for (inet_ntop error) .[1497529351] unbound-control[99905:0] error: connect: Connection refused for (inet_ntop error) .[1497529352] unbound-control[12367:0] error: connect: Connection refused for (inet_ntop error) giving up |
After upgrade to 10.3-RELEASE I started getting this: Starting local_unbound. Waiting for nameserver to start...[1459797676] unbound-control[1690:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797677] unbound-control[1693:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797678] unbound-control[1696:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797679] unbound-control[1699:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797680] unbound-control[1702:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: giving up He's my discussion on the forum https://forums.freebsd.org/threads/55738/