# unbound SSL_CTX errors after upgrade



## nforced (Apr 4, 2016)

I just upgraded from 10.2-RELEASE to 10.3-RELEASE and after the second reboot I saw this:

```
Starting local_unbound.
Waiting for nameserver to start...[1459794274] unbound-control[483:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794275] unbound-control[486:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794276] unbound-control[489:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794277] unbound-control[492:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1459794278] unbound-control[495:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
giving up
```
Does anyone know why did this happened and how to solve it?


----------



## cpm@ (Apr 4, 2016)

Have you added the following at the end of the config file?

```
control-enable: yes
```
Read unbound.conf(5) man page for further details.


----------



## nforced (Apr 4, 2016)

No, I didn't had that, but when I add it I get:

```
#service local_unbound restart
local_unbound not running? (check /var/run/local_unbound.pid).
Starting local_unbound.
/var/unbound/unbound.conf:5: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file
[1459796363] unbound[1404:0] fatal error: Could not read config file: /var/unbound/unbound.conf
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
```
Without "control-enable: yes" I get the initial errors.
Anyway I wonder is this for PR or it's something on my side that needs to be done. Overall I don't think this should have happened at first place without a reason.


----------



## DutchDaemon (Apr 4, 2016)

```
remote-control:
       control-enable: no
```
Setting this in unbound.conf should not produce these weird messages, because Unbound works fine after spewing them, and setting it to no already tells Unbound to _not_ initialise SSL/TLS. Those errors are not a good thing.

```
error: Error setting up SSL_CTX client key and cert
```
That is really baloney, and unnecessarily alarmist.


----------



## DutchDaemon (Apr 4, 2016)

nforced said:


> No, I didn't had that, but when I add it I get:
> 
> ```
> #service local_unbound restart
> ...



You need the category, see above. But that's the same as leaving it out entirely, because the default is already no. The screenfull of errors is not appreciated, by me anyway.


----------



## cpm@ (Apr 4, 2016)

Put this line in the correct place:

```
remote-control:
       control-enable: yes
```

PS. DutchDaemon replied first


----------



## nforced (Apr 4, 2016)

Ok did this what you have advised, I put

```
remote-control:
    control-enable: yes
```
 at the bottom of /etc/unbound/unbound.conf

and then I here's what happening:

```
service local_unbound start
Starting local_unbound.
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
```
/var/log/messages

```
Apr  4 22:13:56 beast unbound: [1600:0] error: Error for server-cert-file: /var/unbound/unbound_server.pem
Apr  4 22:13:56 beast unbound: [1600:0] error: Error in SSL_CTX use_certificate_chain_file crypto error:02001002:system library:fopen:No such file or directory
Apr  4 22:13:56 beast unbound: [1600:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Apr  4 22:13:56 beast unbound: [1600:0] error: and additionally crypto error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Apr  4 22:13:56 beast unbound: [1600:0] fatal error: could not set up remote-control
Apr  4 22:13:56 beast booster: /etc/rc.d/local_unbound: WARNING: failed to start local_unbound
```


----------



## DutchDaemon (Apr 4, 2016)

Of course, if you set it to _yes_ you will have to set it up _entirely_, with the certificates and keys and everything. Very few people will actually need remote control of their resolvers. So set it to _no_ (or remove it) and just swallow the horrible errors (for now).


----------



## nforced (Apr 4, 2016)

DutchDaemon said:


> Of course, if you set it to _yes_ you will have to set it up _entirely_, with the certificates and keys and everything.


Ok, I don't want this since I never had it and I really don't need it. So I removed that and got the initial warnings again, it's good that it works that way but still sad to see this output with *control-enable: no* so I wonder should I submit a PR on this or just leave it like that till someone fix it for some other reason?


----------



## DutchDaemon (Apr 4, 2016)

I'm sure PRs will be lodged almost instantly, but it doesn't hurt.


----------



## nforced (Apr 4, 2016)

Right, I just did that PR 208529 let's see what will happen


----------



## cpm@ (Apr 5, 2016)

nforced said:


> Right, I just did that https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208529 let's see what will happen



You should set up unbound-control correctly. From the unbound-control (8) man page:


> *SET UP*
> The  setup requires a self-signed certificate and private keys for both
> the server and  client.    The  script  unbound-control-setup  generates
> these  in  the  default run directory, or with -d in another directory.
> ...


​


----------



## DutchDaemon (Apr 5, 2016)

Setting it to _no_ should never produce these errors, that is the point of the bug report.


----------



## uzsolt (Apr 6, 2016)

cpm said:


> You should set up unbound-control correctly. From the unbound-control (8) man page:


But you should install dns/unbound because the base system doesn't contain `unbound-control-setup`.

But I agree with DutchDaemon (with control-enabled: no shouldn't see these error messages).


----------



## cpm@ (Apr 7, 2016)

uzsolt said:


> But you should install dns/unbound because the base system doesn't contain `unbound-control-setup`.



Thanks for clarifying this.

nforced: Consider to install dns/unbound port. You'll have unbound updated more frequently over what's in FreeBSD base because the port maintainer has to deal with less things than the OS team.


----------



## obsigna (Apr 7, 2016)

Only today, I saw this also on my server, that I updated recently from RELEASE-10.2 to -10.3

I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound. Said sub-routine has been newly introduced with RELEASE-10.3 in order to:


			
				/etc/rc.d/local_unbound said:
			
		

> #
> # After starting, wait for Unbound to report that it is ready to avoid
> # race conditions with services which require functioning DNS.
> #



And for checking the online status of Unbound, somebody got the particularly bright idea to utilize the remote control tool unbound-control, which is disabled by default, and not properly setup on most machines, and in order to add insult to the injury,  local_unbound_poststart() tries it 5 times before giving up.

In my file /etc/rc.d/local_unbound I commented out the body of local_unbound_poststart():

```
#
# After starting, wait for Unbound to report that it is ready to avoid
# race conditions with services which require functioning DNS.
#
local_unbound_poststart()
{
#    local retry=5
#
#    echo -n "Waiting for nameserver to start..."
#    until "${command}-control" status | grep -q "is running" ; do
#        if [ $((retry -= 1)) -eq 0 ] ; then
#            echo " giving up"
#            return 1
#        fi
#        echo -n "."
#        sleep 1
#    done
#    echo " good"
}
```
This solved the problem for me. I am using Unbound since 2 years, and I never saw any race conditions, anyway. If we really need to check whether unbound is running, why not simply run `drill localhost @127.0.0.1`, or something similar along this line. The additional benefit of this would be, that the timing out feature is built-in to the drill(1) command.


----------



## nforced (Apr 7, 2016)

Hmm, this is what I did today

```
root@beast:~ > portmaster dns/unbound
root@beast:~ > unbound-control-setup
setup in directory /usr/local/etc/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
...................++
.................................................................................................................................................................++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
.............++
..........++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
root@beast:~ > /etc/rc.d/local
local*  local_unbound* localpkg*
root@beast:~ > /etc/rc.d/local
local*  local_unbound* localpkg*
root@beast:~ > /etc/rc.d/local_unbound restart
Stopping local_unbound.
Waiting for PIDS: 504.
Starting local_unbound.
Waiting for nameserver to start...[1460028235] unbound-control[1359:0] warning: control-enable is 'no' in the config file.
```
Same thing.


----------



## kpa (Apr 7, 2016)

You can't mix local_unbound service and dns/unbound, they use totally different locations for binaries and configuration files. Assuming you want to have the control ability use the port only.


----------



## nforced (Apr 7, 2016)

Crap. OK since this doesn't fix the problem for me I am removing it.


----------



## cpm@ (Apr 7, 2016)

You can disable local_unbound service from base.

According to the man src.conf(5) there is an option called WITHOUT_UNBOUND, when it's set, will cause the unbound is not installed. Then set 
	
	



```
WITHOUT_UNBOUND=yes
```
 in /etc/src.conf is the first step to prevent it from being reinstalled in an update.

After the parameter is in place, if you go to /usr/src and run `make check-old`

```
Checking for old files
/etc/rc.d/local_unbound
/etc/unbound
/usr/sbin/local-unbound-setup
/usr/sbin/unbound
/usr/sbin/unbound-anchor
/usr/sbin/unbound-checkconf
/usr/sbin/unbound-control
/usr/sbin/unbound-control-setup
/usr/share/man/man5/unbound.conf.5.gz
/usr/share/man/man8/unbound-anchor.8.gz
/usr/share/man/man8/unbound-checkconf.8.gz
/usr/share/man/man8/unbound-control.8.gz
/usr/share/man/man8/unbound.8.gz
Checking for old libraries
/usr/lib/private/libunbound.so.5
/usr/lib32/private/libunbound.so.5
Checking for old directories
To remove old files and directories run 'make delete-old'.
To remove old libraries run 'make delete-old-libs'.
```

The files currently installed from unbound already enter the obsolete list, and can be removed to `make delete-old` and `make delete-old-libs`


----------



## nforced (Apr 7, 2016)

Thanks cpm, I don't want to disable this service, I use it for my own needs I just want to have it running like I aways used to. I know disabling it will solve the problem, but thats not my point.


----------



## cpm@ (Apr 7, 2016)

Of course, it all depends on your intentions. In the meantime, you can use dns/unbound.


----------



## nforced (Apr 7, 2016)

I have tried this, same problem there...


----------



## obsigna (Apr 7, 2016)

nforced said:


> I have tried this, same problem there...


I guess you misunderstood the suggestion. Installing dns/unbound is not sufficient. You need to tell your system to use it instead of local_unbound from the base system. To begin with, you would need to copy the settings from /etc/unbound/unbound.conf (the base location) to /usr/local/etc/unbound/unbound.conf, i.e. the settings location of the Unbound port. In addition, the start command is of course not 
	
	



```
local_unbound_enable="YES"
```
 but simply 
	
	



```
unbound_enable="YES"
```
 There is no need to remove local_unbound, only make sure, you don't activate it in file /etc/rc.conf.

Anyway, installing dns/unbound and transferring all the settings, is IMHO much more hassle than simply deactivating the culprit local_unbound_poststart() subroutine in /etc/rc.d/local_unbound. I added a comment on your PR 208529 on this.


----------



## LiSergey (Jan 10, 2017)

obsigna said:


> I found the culprit. It lies in the local_unbound_poststart() sub-routine in file /etc/rc.d/local_unbound.
> 
> In my file /etc/rc.d/local_unbound I commented out the body of local_unbound_poststart():
> 
> ...



Thanks, that helped me.
I prefer to use bundled unbound on lower-load servers to pay less attention for updates, while install dns/unbound on busy servers with more options available for high load.

Also, in default config /etc/unbound/unbound.conf.sample it is chroot enabled by default, with mismatched pid-file location, by default inside in config and outside in /etc/rc.d/local_unbound script

diff:

```
- # pidfile: "/etc/unbound/unbound.pid"
+pidfile: "/var/run/local_unbound.pid"
```


----------

