Bug 208529 - Error setting up SSL_CTX client key and cert and control-enable: no
Summary: Error setting up SSL_CTX client key and cert and control-enable: no
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 10.3-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Dag-Erling Smørgrav
URL:
Keywords:
: 208555 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-04-04 19:39 UTC by Nick
Modified: 2017-09-10 00:28 UTC (History)
14 users (show)

See Also:


Attachments
Suggested patch (529 bytes, patch)
2016-05-28 09:33 UTC, Frans-Jan van Steenbeek
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nick 2016-04-04 19:39:45 UTC
After upgrade to 10.3-RELEASE I started getting this:

Starting local_unbound.
Waiting for nameserver to start...[1459797676] unbound-control[1690:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459797677] unbound-control[1693:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459797678] unbound-control[1696:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459797679] unbound-control[1699:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459797680] unbound-control[1702:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
 giving up

He's my discussion on the forum https://forums.freebsd.org/threads/55738/
Comment 1 pete 2016-04-05 17:51:44 UTC
*** Bug 208555 has been marked as a duplicate of this bug. ***
Comment 2 cyclaero 2016-04-07 13:25:39 UTC
I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound. Said sub-routine has been newly introduced with RELEASE-10.3.

For checking the online status of Unbound the remote control tool unbound-control is utilized, which is disabled by default, and not properly setup on most machines.

In my file /etc/rc.d/local_unbound I commented out he body of local_unbound_poststart():
Code:
#
# After starting, wait for Unbound to report that it is ready to avoid
# race conditions with services which require functioning DNS.
#
local_unbound_poststart()
{
#    local retry=5
#
#    echo -n "Waiting for nameserver to start..."
#    until "${command}-control" status | grep -q "is running" ; do
#        if [ $((retry -= 1)) -eq 0 ] ; then
#            echo " giving up"
#            return 1
#        fi
#        echo -n "."
#        sleep 1
#    done
#    echo " good"
}

This solved the problem for me. I am using Unbound since 2 years, and I never saw any race conditions, anyway. If we really need to check whether Unbound is running, why not simply run `drill localhost @127.0.0.1`, or something similar along this line. The additional benefit of this would be, that the timing out feature is built-in to the drill command.
Comment 3 Frans-Jan van Steenbeek 2016-05-28 09:33:52 UTC
Created attachment 170744 [details]
Suggested patch

See attached suggested patch.

Assuming people use unbound-control with local_unbound is a bit of a stretch, especially since unbound-control-setup isn't even bundled. This patch tests the functionality of the local resolver, which is just as good or even better than querying the state. It assumes that local_unbound is configured to run on IPv4 localhost and that the .com zone is not somehow disabled or inaccessible. These assumptions are *way* smaller than assuming unbound-control works. Besides that, failure is less "messy" to look at.
Comment 4 jonas.bulow 2016-08-05 21:10:51 UTC
This is still an issue in 11.0-BETA3. It's very annoying having DNS broken by default.
Comment 5 Stefan 2016-08-21 00:11:03 UTC
Bug still present in 11-RC1.
Would be great if the patch could be applied, as this false error spam is just annoying and distracting.
Comment 6 Patrick Winslow 2016-10-28 10:23:20 UTC
Bug still present in 11.0-RELEASE-p2.

The patch is five months old. It does no harm. Please apply it.
Comment 7 Patrick Winslow 2016-12-09 11:36:49 UTC
Bug still present in 11.0-RELEASE-p2^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H11.0-RELEASE-p5.

The patch is five months old^H^H^H^H^H^H^H^H^H^H^H^H^H^H^Hsix months and eleven days old. It does no harm. Please apply it.
Comment 8 Frans-Jan van Steenbeek 2016-12-09 13:21:51 UTC
(In reply to Patrick Winslow from comment #7)
As creator of the patch, is there anything I can do to help get this sorted?
Comment 9 Patrick Winslow 2016-12-09 15:23:00 UTC
(In reply to Frans-Jan van Steenbeek from comment #8)
Thank you for the patch. I applied it to my systems manually. I'm just concerned this bug will persist for months or years. The scary error messages are surely causing a lot of people to waste time searching for information.
Comment 10 dirkx 2016-12-24 11:50:01 UTC
FWII: Patch applies cleanly (and is needed!) on a 10.2->11.0 release update.
Comment 11 Johannes Jost Meixner freebsd_committer 2017-06-15 11:35:04 UTC
Still an issue in 12.0-CURRENT with local_unbound enabled as services to start in bsdinstall.
Comment 12 Dag-Erling Smørgrav freebsd_committer 2017-06-15 12:13:58 UTC
User and / or configuration error. Please run `service local_unbound setup` to correct and refrain from manual configuration changes.
Comment 13 Johannes Jost Meixner freebsd_committer 2017-06-15 12:23:50 UTC
Reopening, this problem persists - 


On an almost fresh 12.0-CURRENT install:

root@test:~ # service local_unbound setup
Performing initial setup.
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf not modified
/var/unbound/lan-zones.conf not modified
/var/unbound/control.conf not modified
/var/unbound/unbound.conf not modified
original /etc/resolvconf.conf saved as /etc/resolvconf.conf.20170615.122208
original /etc/resolv.conf saved as /etc/resolv.conf.20170615.122208


root@test:~ # service local_unbound start
Starting local_unbound.
Waiting for nameserver to start...error: SSL handshake failed
.[1497529349] unbound-control[43421:0] error: connect: Connection refused for (inet_ntop error)
.[1497529350] unbound-control[44597:0] error: connect: Connection refused for (inet_ntop error)
.[1497529351] unbound-control[99905:0] error: connect: Connection refused for (inet_ntop error)
.[1497529352] unbound-control[12367:0] error: connect: Connection refused for (inet_ntop error)
 giving up