LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 01-02-2019, 06:01 PM   #1
crypted
Member
 
Registered: Jan 2004
Posts: 59

Rep: Reputation: 15
Unbound DNS daemon issues - SSL error handshake fails


I'm doing a little project to get Unbound to accept DNS-over-TLS to be my go-to for the Private DNS option in Android Pie at the system level. I have it linked to my local Pi-Hole server and it's working fine, providing data replies from Pi-Hole. However, the TLS side is failing. And, I'm totally ignorant to certificates.

The error I can't solve goes like this:
Quote:
Jan 2 18:53:17 dgunbound unbound: [4579:0] info: start of service (unbound 1.8.3).
Jan 2 18:53:23 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 2 18:53:23 dgunbound unbound: [4579:0] notice: ssl handshake failed 179.6.222.181 port 59051
Jan 2 18:53:25 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 2 18:53:25 dgunbound unbound: [4579:0] notice: ssl handshake failed 172.56.31.215 port 44842
I used update-ca-certificates to ensure Debian was current.

I generated new keys twice from unbound-config-setup.

I tried with and without the cert and/or key/pem specified in the configuration file.

Speaking of config files, this is my unbound file:
Quote:
server:
tls-cert-bundle: certificates.crt
tls-service-key: unbound_server.key
tls-service-pem: unbound_server.pem
tls-port: 853
tls-upstream: no
edns-tcp-keepalive: yes
access-control: 0.0.0.0/0 allow
cache-max-ttl: 10
cache-min-ttl: 0
do-tcp: yes
do-not-query-localhost: no
hide-identity: no
hide-version: no
#interface: 127.0.0.1
interface: ::0@853
interface: 0.0.0.0@853
udp-upstream-without-downstream: yes
minimal-responses: yes
prefetch: no
qname-minimisation: no
ssl-upstream: no
use-caps-for-id: yes
verbosity: 1
local-zone: "localhost." static
local-data: "localhost. 10800 IN NS localhost."
local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local-data: "localhost. 10800 IN A 127.0.0.1"
local-zone: "127.in-addr.arpa." static
local-data: "127.in-addr.arpa. 10800 IN NS localhost."
local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
forward-zone:
name: .
forward-addr: 127.0.0.1
forward-tls-upstream: no
forward-no-cache:yes
remote-control:
control-enable: yes
Note, the certificate.crt is valid. I have a symlink in the /etc/unbound path so that it's sitting with the other pertinent files. No real reason but I did...

Android fails to connect and my log provides the above. For what it's worth I'm using a Pixel 3.

I'd really appreciate some help to get me past what I think is my very last hurdle.
 
Old 01-03-2019, 02:06 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,412

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
Jan 2 18:53:23 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Looks like the CA (Certificate Authority) is unknown to unbound.
I'm not familiar with unbound, but this error could mean that you're using a self-signed certificate. If that's the case, you should also add the CA certificate among the other certs, so unbound can find it.

Regards
 
Old 01-03-2019, 07:33 AM   #3
crypted
Member
 
Registered: Jan 2004
Posts: 59

Original Poster
Rep: Reputation: 15
Stunnel replacement option for failing Unbound attempt

So, I gave up on unbound as every restart the unbound pem/key would go to crap and need redone.

I'm trying STUNNEL as that seems more pertinent to my needs. I'm basically getting the same issue:

My steps were as follows:
1. install stunnel from apt

2. setup the config file to be the following:
Quote:
[dns]
accept = 853
connect = 127.0.0.1:53
cert = dns.crt
key = dns.key
3. Generate a .crt and .key file using:
Quote:
openssl genrsa -out dns.key 1024
openssl req -new -key dns.key -out dns.crt -x509
4. Copy the .crt to /etc/ssl/crt and /usr/share/ca-certificate/ and the .key to /etc/ssl/private/.

5. Run "dpkg-reconfigure ca-certificates" and selected dns.crt to add to the ca bundle.

Quote:
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Configuration successful
Jan 3 08:21:21 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:32436
Jan 3 08:21:21 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:21:21 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 08:21:21 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 172.56.31.93:26822
Jan 3 08:21:22 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:21:22 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Then, I added additional steps to try to overcome the matter.

1. Made different keys and a CA.crt.

Quote:
openssl genrsa -out dns.key 1024
openssl req -new -key dns.key -out dns.req
openssl x509 -req -in dns.req -out dns.crt -CA ca.crt -CAkey ca.key -CAcreateserial
2. Added this to the stunnel config file:

Quote:
CAfile = ca.crt
I ended up with the same results:

Quote:
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Configuration successful
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 172.56.30.146:41458
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 179.6.222.181:34175
Jan 3 08:28:51 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 08:28:51 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Any thoughts out there?
 
Old 01-03-2019, 07:40 AM   #4
crypted
Member
 
Registered: Jan 2004
Posts: 59

Original Poster
Rep: Reputation: 15
EDIT: I found the following two config file flags and tried them. It still failed:

Added flags:
Quote:
verify = 0
verifyChain = no
verifyPeer = no
sslVersion = all
Combined, I was hoping that it would not verify the cert and just connect as that's what I understood that flag to mean, and to permit all SSL versions in case it didn't like sslv3.


Same issue:
Quote:
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Configuration successful
Jan 3 08:38:17 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:36567
Jan 3 08:38:18 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:38:18 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Last edited by crypted; 01-03-2019 at 07:51 AM.
 
Old 01-03-2019, 11:58 AM   #5
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,412

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
Jan 3 08:38:18 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Still the same problem with the unknown CA.
You could try to install a letsencrypt certificate and see if it works.

Regards
 
Old 01-03-2019, 04:36 PM   #6
crypted
Member
 
Registered: Jan 2004
Posts: 59

Original Poster
Rep: Reputation: 15
Yeah, issue there is Pi-hole has port 80 in use for its httpd, so letsencrypt via Apache kind of flops.

I was able to at least see basic functionality with higher verbose. Wish I was at home to watch the log on adb and to see if stunnel would work from my home PC.

Quote:
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] started
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Option TCP_NODELAY set on local socket
Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:37146
Jan 3 17:21:55 dgpihole1 stunnel: LOG6[0]: Peer certificate required
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: SNI: no virtual services defined
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS read client hello
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server hello
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate request
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server done
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS alert (read): fatal: unknown CA
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Remove session callback
Jan 3 17:21:55 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Deallocating application specific data for addr index
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Local descriptor (FD=3) closed
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] finished (0 left)
 
Old 01-04-2019, 03:22 PM   #7
crypted
Member
 
Registered: Jan 2004
Posts: 59

Original Poster
Rep: Reputation: 15
I bought a ticket and it works now, go figure. lol
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Nagios : Issues- (1)CHECK_NRPE: Error - Could not complete SSL handshake. (2) CHECK_NRPE: Socket timeout after 30 seconds. (3) Sync missed deva420patra Linux - Server 11 02-06-2017 06:23 AM
unbound with ssl redirects - doesn't resolve qwertyjjj Linux - Server 1 08-02-2014 01:20 AM
[SOLVED] Error on SVN checkout: SSL handshake failed: SSL error: Key usage violation in certif jsaravana87 Linux - Server 3 05-07-2012 10:00 AM
NAGIOS: NRPE error : Could not complete SSL handshake TrotskyIcepick Linux - Newbie 3 11-02-2009 03:25 PM
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Carpo Slackware 1 07-10-2007 08:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 09:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration