After upgrade to 10.3-RELEASE I started getting this: Starting local_unbound. Waiting for nameserver to start...[1459797676] unbound-control[1690:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797677] unbound-control[1693:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797678] unbound-control[1696:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797679] unbound-control[1699:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: .[1459797680] unbound-control[1702:0] warning: control-enable is 'no' in the config file. error: Error setting up SSL_CTX client key and cert 34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r') 34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400: 34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687: giving up He's my discussion on the forum https://forums.freebsd.org/threads/55738/
*** Bug 208555 has been marked as a duplicate of this bug. ***
I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound. Said sub-routine has been newly introduced with RELEASE-10.3. For checking the online status of Unbound the remote control tool unbound-control is utilized, which is disabled by default, and not properly setup on most machines. In my file /etc/rc.d/local_unbound I commented out he body of local_unbound_poststart(): Code: # # After starting, wait for Unbound to report that it is ready to avoid # race conditions with services which require functioning DNS. # local_unbound_poststart() { # local retry=5 # # echo -n "Waiting for nameserver to start..." # until "${command}-control" status | grep -q "is running" ; do # if [ $((retry -= 1)) -eq 0 ] ; then # echo " giving up" # return 1 # fi # echo -n "." # sleep 1 # done # echo " good" } This solved the problem for me. I am using Unbound since 2 years, and I never saw any race conditions, anyway. If we really need to check whether Unbound is running, why not simply run `drill localhost @127.0.0.1`, or something similar along this line. The additional benefit of this would be, that the timing out feature is built-in to the drill command.
Created attachment 170744 [details] Suggested patch See attached suggested patch. Assuming people use unbound-control with local_unbound is a bit of a stretch, especially since unbound-control-setup isn't even bundled. This patch tests the functionality of the local resolver, which is just as good or even better than querying the state. It assumes that local_unbound is configured to run on IPv4 localhost and that the .com zone is not somehow disabled or inaccessible. These assumptions are *way* smaller than assuming unbound-control works. Besides that, failure is less "messy" to look at.
This is still an issue in 11.0-BETA3. It's very annoying having DNS broken by default.
Bug still present in 11-RC1. Would be great if the patch could be applied, as this false error spam is just annoying and distracting.
Bug still present in 11.0-RELEASE-p2. The patch is five months old. It does no harm. Please apply it.
Bug still present in 11.0-RELEASE-p2^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H11.0-RELEASE-p5. The patch is five months old^H^H^H^H^H^H^H^H^H^H^H^H^H^H^Hsix months and eleven days old. It does no harm. Please apply it.
(In reply to Patrick Winslow from comment #7) As creator of the patch, is there anything I can do to help get this sorted?
(In reply to Frans-Jan van Steenbeek from comment #8) Thank you for the patch. I applied it to my systems manually. I'm just concerned this bug will persist for months or years. The scary error messages are surely causing a lot of people to waste time searching for information.
FWII: Patch applies cleanly (and is needed!) on a 10.2->11.0 release update.
Still an issue in 12.0-CURRENT with local_unbound enabled as services to start in bsdinstall.
User and / or configuration error. Please run `service local_unbound setup` to correct and refrain from manual configuration changes.
Reopening, this problem persists - On an almost fresh 12.0-CURRENT install: root@test:~ # service local_unbound setup Performing initial setup. Extracting forwarders from /etc/resolv.conf. /var/unbound/forward.conf not modified /var/unbound/lan-zones.conf not modified /var/unbound/control.conf not modified /var/unbound/unbound.conf not modified original /etc/resolvconf.conf saved as /etc/resolvconf.conf.20170615.122208 original /etc/resolv.conf saved as /etc/resolv.conf.20170615.122208 root@test:~ # service local_unbound start Starting local_unbound. Waiting for nameserver to start...error: SSL handshake failed .[1497529349] unbound-control[43421:0] error: connect: Connection refused for (inet_ntop error) .[1497529350] unbound-control[44597:0] error: connect: Connection refused for (inet_ntop error) .[1497529351] unbound-control[99905:0] error: connect: Connection refused for (inet_ntop error) .[1497529352] unbound-control[12367:0] error: connect: Connection refused for (inet_ntop error) giving up