Unbound DNS daemon issues - SSL error handshake fails

I'm doing a little project to get Unbound to accept DNS-over-TLS to be my go-to for the Private DNS option in Android Pie at the system level. I have it linked to my local Pi-Hole server and it's working fine, providing data replies from Pi-Hole. However, the TLS side is failing. And, I'm totally ignorant to certificates.

The error I can't solve goes like this:

Quote:

Jan 2 18:53:17 dgunbound unbound: [4579:0] info: start of service (unbound 1.8.3). Jan 2 18:53:23 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 2 18:53:23 dgunbound unbound: [4579:0] notice: ssl handshake failed 179.6.222.181 port 59051 Jan 2 18:53:25 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 2 18:53:25 dgunbound unbound: [4579:0] notice: ssl handshake failed 172.56.31.215 port 44842

I used update-ca-certificates to ensure Debian was current.

I generated new keys twice from unbound-config-setup.

I tried with and without the cert and/or key/pem specified in the configuration file.

Speaking of config files, this is my unbound file:

Quote:

server: tls-cert-bundle: certificates.crt tls-service-key: unbound_server.key tls-service-pem: unbound_server.pem tls-port: 853 tls-upstream: no edns-tcp-keepalive: yes access-control: 0.0.0.0/0 allow cache-max-ttl: 10 cache-min-ttl: 0 do-tcp: yes do-not-query-localhost: no hide-identity: no hide-version: no #interface: 127.0.0.1 interface: ::0@853 interface: 0.0.0.0@853 udp-upstream-without-downstream: yes minimal-responses: yes prefetch: no qname-minimisation: no ssl-upstream: no use-caps-for-id: yes verbosity: 1 local-zone: "localhost." static local-data: "localhost. 10800 IN NS localhost." local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local-data: "localhost. 10800 IN A 127.0.0.1" local-zone: "127.in-addr.arpa." static local-data: "127.in-addr.arpa. 10800 IN NS localhost." local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800" local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost." forward-zone: name: “.” forward-addr: 127.0.0.1 forward-tls-upstream: no forward-no-cache:yes remote-control: control-enable: yes

Note, the certificate.crt is valid. I have a symlink in the /etc/unbound path so that it's sitting with the other pertinent files. No real reason but I did...

Android fails to connect and my log provides the above. For what it's worth I'm using a Pixel 3.

I'd really appreciate some help to get me past what I think is my very last hurdle.

Quote:

Jan 2 18:53:23 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Looks like the CA (Certificate Authority) is unknown to unbound.
I'm not familiar with unbound, but this error could mean that you're using a self-signed certificate. If that's the case, you should also add the CA certificate among the other certs, so unbound can find it.

Regards

So, I gave up on unbound as every restart the unbound pem/key would go to crap and need redone.

I'm trying STUNNEL as that seems more pertinent to my needs. I'm basically getting the same issue:

My steps were as follows:
1. install stunnel from apt

2. setup the config file to be the following:

Quote:

[dns] accept = 853 connect = 127.0.0.1:53 cert = dns.crt key = dns.key

3. Generate a .crt and .key file using:

Quote:

openssl genrsa -out dns.key 1024 openssl req -new -key dns.key -out dns.crt -x509

4. Copy the .crt to /etc/ssl/crt and /usr/share/ca-certificate/ and the .key to /etc/ssl/private/.

5. Run "dpkg-reconfigure ca-certificates" and selected dns.crt to add to the ca bundle.

Quote:

Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016 Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018 Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Configuration successful Jan 3 08:21:21 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:32436 Jan 3 08:21:21 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 3 08:21:21 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jan 3 08:21:21 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 172.56.31.93:26822 Jan 3 08:21:22 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 3 08:21:22 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Then, I added additional steps to try to overcome the matter.

1. Made different keys and a CA.crt.

Quote:

openssl genrsa -out dns.key 1024 openssl req -new -key dns.key -out dns.req openssl x509 -req -in dns.req -out dns.crt -CA ca.crt -CAkey ca.key -CAcreateserial

2. Added this to the stunnel config file:

Quote:

CAfile = ca.crt

I ended up with the same results:

Quote:

Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016 Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018 Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Configuration successful Jan 3 08:28:51 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 172.56.30.146:41458 Jan 3 08:28:51 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 179.6.222.181:34175 Jan 3 08:28:51 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 3 08:28:51 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jan 3 08:28:51 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 3 08:28:51 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Any thoughts out there?

EDIT: I found the following two config file flags and tried them. It still failed:

Added flags:

Quote:

verify = 0 verifyChain = no verifyPeer = no sslVersion = all

Combined, I was hoping that it would not verify the cert and just connect as that's what I understood that flag to mean, and to permit all SSL versions in case it didn't like sslv3.


Same issue:

Quote:

Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016 Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018 Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Configuration successful Jan 3 08:38:17 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:36567 Jan 3 08:38:18 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 3 08:38:18 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Quote:

Jan 3 08:38:18 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Still the same problem with the unknown CA.
You could try to install a letsencrypt certificate and see if it works.

Regards

Yeah, issue there is Pi-hole has port 80 in use for its httpd, so letsencrypt via Apache kind of flops.

I was able to at least see basic functionality with higher verbose. Wish I was at home to watch the log on adb and to see if stunnel would work from my home PC.

Quote:

Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] started Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Option TCP_NODELAY set on local socket Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:37146 Jan 3 17:21:55 dgpihole1 stunnel: LOG6[0]: Peer certificate required Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: SNI: no virtual services defined Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS read client hello Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server hello Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate request Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server done Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS alert (read): fatal: unknown CA Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Remove session callback Jan 3 17:21:55 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Deallocating application specific data for addr index Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Local descriptor (FD=3) closed Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] finished (0 left)

I bought a ticket and it works now, go figure. lol