Unbound DNS daemon issues - SSL error handshake fails
DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unbound DNS daemon issues - SSL error handshake fails
I'm doing a little project to get Unbound to accept DNS-over-TLS to be my go-to for the Private DNS option in Android Pie at the system level. I have it linked to my local Pi-Hole server and it's working fine, providing data replies from Pi-Hole. However, the TLS side is failing. And, I'm totally ignorant to certificates.
The error I can't solve goes like this:
Quote:
Jan 2 18:53:17 dgunbound unbound: [4579:0] info: start of service (unbound 1.8.3).
Jan 2 18:53:23 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 2 18:53:23 dgunbound unbound: [4579:0] notice: ssl handshake failed 179.6.222.181 port 59051
Jan 2 18:53:25 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 2 18:53:25 dgunbound unbound: [4579:0] notice: ssl handshake failed 172.56.31.215 port 44842
I used update-ca-certificates to ensure Debian was current.
I generated new keys twice from unbound-config-setup.
I tried with and without the cert and/or key/pem specified in the configuration file.
Speaking of config files, this is my unbound file:
Quote:
server:
tls-cert-bundle: certificates.crt
tls-service-key: unbound_server.key
tls-service-pem: unbound_server.pem
tls-port: 853
tls-upstream: no
edns-tcp-keepalive: yes
access-control: 0.0.0.0/0 allow
cache-max-ttl: 10
cache-min-ttl: 0
do-tcp: yes
do-not-query-localhost: no
hide-identity: no
hide-version: no
#interface: 127.0.0.1
interface: ::0@853
interface: 0.0.0.0@853
udp-upstream-without-downstream: yes
minimal-responses: yes
prefetch: no
qname-minimisation: no
ssl-upstream: no
use-caps-for-id: yes
verbosity: 1
local-zone: "localhost." static
local-data: "localhost. 10800 IN NS localhost."
local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local-data: "localhost. 10800 IN A 127.0.0.1"
local-zone: "127.in-addr.arpa." static
local-data: "127.in-addr.arpa. 10800 IN NS localhost."
local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
forward-zone:
name: “.”
forward-addr: 127.0.0.1
forward-tls-upstream: no
forward-no-cache:yes
remote-control:
control-enable: yes
Note, the certificate.crt is valid. I have a symlink in the /etc/unbound path so that it's sitting with the other pertinent files. No real reason but I did...
Android fails to connect and my log provides the above. For what it's worth I'm using a Pixel 3.
I'd really appreciate some help to get me past what I think is my very last hurdle.
Jan 2 18:53:23 dgunbound unbound: [4579:0] error: ssl handshake failed crypto error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Looks like the CA (Certificate Authority) is unknown to unbound.
I'm not familiar with unbound, but this error could mean that you're using a self-signed certificate. If that's the case, you should also add the CA certificate among the other certs, so unbound can find it.
4. Copy the .crt to /etc/ssl/crt and /usr/share/ca-certificate/ and the .key to /etc/ssl/private/.
5. Run "dpkg-reconfigure ca-certificates" and selected dns.crt to add to the ca bundle.
Quote:
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled
Jan 3 08:21:15 dgpihole1 stunnel: LOG5[ui]: Configuration successful
Jan 3 08:21:21 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:32436
Jan 3 08:21:21 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:21:21 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 08:21:21 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 172.56.31.93:26822
Jan 3 08:21:22 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:21:22 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Then, I added additional steps to try to overcome the matter.
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled
Jan 3 08:28:44 dgpihole1 stunnel: LOG5[ui]: Configuration successful
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 172.56.30.146:41458
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 179.6.222.181:34175
Jan 3 08:28:51 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 08:28:51 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:28:51 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
EDIT: I found the following two config file flags and tried them. It still failed:
Added flags:
Quote:
verify = 0
verifyChain = no
verifyPeer = no
sslVersion = all
Combined, I was hoping that it would not verify the cert and just connect as that's what I understood that flag to mean, and to permit all SSL versions in case it didn't like sslv3.
Same issue:
Quote:
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.0c 10 Nov 2016
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.0j 20 Nov 2018
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Reading configuration from file /home/derek/stunnel/dnstls.conf
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: FIPS mode disabled
Jan 3 08:38:02 dgpihole1 stunnel: LOG5[ui]: Configuration successful
Jan 3 08:38:17 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:36567
Jan 3 08:38:18 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 08:38:18 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Yeah, issue there is Pi-hole has port 80 in use for its httpd, so letsencrypt via Apache kind of flops.
I was able to at least see basic functionality with higher verbose. Wish I was at home to watch the log on adb and to see if stunnel would work from my home PC.
Quote:
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] started
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Option TCP_NODELAY set on local socket
Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:37146
Jan 3 17:21:55 dgpihole1 stunnel: LOG6[0]: Peer certificate required
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: SNI: no virtual services defined
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS read client hello
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server hello
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate request
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server done
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS alert (read): fatal: unknown CA
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Remove session callback
Jan 3 17:21:55 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Deallocating application specific data for addr index
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Local descriptor (FD=3) closed
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] finished (0 left)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.