<div dir="ltr">Hi there,<div><br></div><div>i recently noticed that i get an error thrown by unbound which says it cant verify the certificate (possibly the root ca?) for cloudflare. Quad9 works like a charm.</div><div><br></div><div>[1063:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed<br>[1063:0] notice: ssl handshake failed 1.1.1.1 port 853<br></div><div><br></div><div>i verified over at cloudflare community forum that my certs look good etc. So now i try to verify that unbound works correctly.</div><div><br></div><div>My unbound.conf looks like this:</div><div><br></div><div>server:<br>    use-syslog: yes<br>    do-daemonize: no<br>    username: "unbound"<br>    directory: "/etc/unbound"<br><br>    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"<br>    trust-anchor-file: trusted-key.key<br>    root-hints: root.hints<br><br>    interface:              127.0.0.1<br>    interface:              172.16.0.254<br>    interface:              172.17.0.254<br><br>    access-control:         <a href="http://127.0.0.1/32">127.0.0.1/32</a> allow<br>    access-control:         <a href="http://172.16.0.0/16">172.16.0.0/16</a> allow<br>    access-control:         <a href="http://172.17.0.0/16">172.17.0.0/16</a> allow<br><br>    do-ip4:                 yes<br>    do-ip6:                 no<br>    do-udp:                 yes<br>    do-tcp:                 yes<br><br>    verbosity:              1<br><br>    hide-identity:          yes<br>    hide-version:           yes<br><br>    harden-glue: yes<br>    harden-dnssec-stripped: yes<br>    use-caps-for-id: yes<br><br>    prefetch: yes<br><br>    unwanted-reply-threshold: 10000<br><br>    private-address: <a href="http://192.168.0.0/16">192.168.0.0/16</a><br>    private-address: <a href="http://172.16.0.0/12">172.16.0.0/12</a><br>    private-address: <a href="http://10.0.0.0/8">10.0.0.0/8</a><br><br>    private-domain: "local"<br>    local-zone:     "local" static<br></div><div><br></div><div>forward-zone:<br>    name:                   "."<br>    forward-tls-upstream: yes<br>    forward-addr: 1.1.1.1@853#cloudflare<br>    forward-addr: 9.9.9.9@853#<a href="http://dns.quad9.net">dns.quad9.net</a><br>    forward-addr: 1.0.0.1@853#cloudflare<br>    forward-addr: 146.185.167.43@853#SecureDNS.eu<br></div><div><br></div><div><br></div><div><br></div><div>this is the thread at cloudflare:</div><div><a href="https://community.cloudflare.com/t/dns-over-tls-cant-verify-certificate/139530" target="_blank">https://community.cloudflare.com/t/dns-over-tls-cant-verify-certificate/139530</a> </div><div><br></div><div>Thank you for your help. I really appreciate it.</div><div><br></div><div>Greetings</div><div><br></div><div>Bastian </div></div>