TLS certificate question about Unbound 1.9.2

Wed Apr 3 11:31:35 UTC 2019

Hi,

Yes this error seems to be because the tls-cert-bundle option has to be
after a server: block start, but it was put after the forward-zone:
block start.

Just insert  server: before the tls-cert-bundle: line, like on a new
line above it.

Or, instead, move that tls-cert-bundle option to a place closer to the
start of the file, not inside that forward-zone block.

(It is possible to have several server: sections and they all get read
in after another. The config file should still be compatible by the way
from older versions, back to version 1.0).

Best regards, Wouter

On 03/04/2019 12:09, Yuri via Unbound-users wrote:
> Yes, Tom, yesterday I had same question :) Probably you right.
>
> 03.04.2019 13:31, Tom Hendrikx via Unbound-users пишет:
>> Hi,
>>
>> When I add some garbage to my config:
>>
>> =============================
>> $ cat unbound.conf
>> # Unbound configuration file for Debian.
>> #
>> # See the unbound.conf(5) man page.
>> #
>> # See /usr/share/doc/unbound/examples/unbound.conf for a commented
>> # reference config file.
>> #
>> # The following line includes additional configuration files from the
>> # /etc/unbound/unbound.conf.d directory.
>> include: "/etc/unbound/unbound.conf.d/*.conf"
>>
>> # these lines are added
>> hoeba:
>>    kek: yes
>>
>> =========================
>>
>> I see similar errors:
>>
>> $ sudo unbound-checkconf
>> /etc/unbound/unbound.conf:12: error: unknown keyword 'hoeba'
>> /etc/unbound/unbound.conf:12: error: stray ':'
>> /etc/unbound/unbound.conf:13: error: unknown keyword 'kek'
>> /etc/unbound/unbound.conf:13: error: stray ':'
>> /etc/unbound/unbound.conf:13: error: unknown keyword 'yes'
>> read /etc/unbound/unbound.conf failed: 5 errors in configuration file
>>
>>
>> Maybe you indentation is just wrong? To me this looks like
>> 'tls-cert-bundle' is not properly place inside a "server:" block. 
>> It's hard to see in your HTML-formatted email.
>>
>> Kind regards,
>>     Tom
>>
>> On 03-04-19 00:25, rollingonchrome via Unbound-users wrote:
>>> Thanks again, Yuri.
>>>
>>> I'm still having problems. As a reminder, I'm on Raspbian which only
>>> has a 1.6.0 stable package.
>>>
>>> I downloaded and built the 1.9.1 source code from here:
>>> http://www.unbound.net/downloads/unbound-1.9.1.tar.gz
>>>
>>> The build is verified as Version 1.9.1.
>>>
>>> It works fine (exactly as on 1.6.0 and 1.9.2) WITHOUT the
>>> "tls-cert-bundle" keyword.
>>>
>>> With the "tls-cert-bundle" keyword, I continue to get this error and
>>> nothing works. It appears that unbound doesn't recognize the
>>> "tls-cert-bundle" keyword:
>>>
>>> pr  2 15:06:51 raspberrypi_pi-hole systemd[1]: Started Unbound DNS
>>> server via resolvconf.
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: unknown
>>> keyword 'tls-cert-bundle'
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray ':'
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray '"'
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: unknown
>>> keyword '/etc/ssl/certs/ca-certificates.crt'
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray '"'
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]: read
>>> /etc/unbound/unbound.conf failed: 5 errors in configuration file
>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]: [1554242811]
>>> unbound[27172:0] fatal error: Could not read config file:
>>> /etc/unbound/unbound.conf
>>>
>>> Yuri yvoinov at gmail.com <http://gmail.com>
>>> Tue Apr 2 21:43:19 CEST 2019
>>> Previous message (by thread): TLS certificate question about Unbound
>>> 1.9.2
>>>
>>> You're welcome :)
>>>
>>> And make sure you really installed built binaries.
>>>
>>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190403/ff58f1b8/attachment.bin>