TLS certificate question about Unbound 1.9.2

Yuri yvoinov at gmail.com
Wed Apr 3 11:34:22 UTC 2019 

Thank you, Wouter, otherwise I’m drowning sometime - I forgot that an
unstructured config can be easily written :)

03.04.2019 17:31, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Yes this error seems to be because the tls-cert-bundle option has to be
> after a server: block start, but it was put after the forward-zone:
> block start.
>
> Just insert  server: before the tls-cert-bundle: line, like on a new
> line above it.
>
> Or, instead, move that tls-cert-bundle option to a place closer to the
> start of the file, not inside that forward-zone block.
>
> (It is possible to have several server: sections and they all get read
> in after another. The config file should still be compatible by the way
> from older versions, back to version 1.0).
>
> Best regards, Wouter
>
> On 03/04/2019 12:09, Yuri via Unbound-users wrote:
>> Yes, Tom, yesterday I had same question :) Probably you right.
>>
>> 03.04.2019 13:31, Tom Hendrikx via Unbound-users пишет:
>>> Hi,
>>>
>>> When I add some garbage to my config:
>>>
>>> =============================
>>> $ cat unbound.conf
>>> # Unbound configuration file for Debian.
>>> #
>>> # See the unbound.conf(5) man page.
>>> #
>>> # See /usr/share/doc/unbound/examples/unbound.conf for a commented
>>> # reference config file.
>>> #
>>> # The following line includes additional configuration files from the
>>> # /etc/unbound/unbound.conf.d directory.
>>> include: "/etc/unbound/unbound.conf.d/*.conf"
>>>
>>> # these lines are added
>>> hoeba:
>>>    kek: yes
>>>
>>> =========================
>>>
>>> I see similar errors:
>>>
>>> $ sudo unbound-checkconf
>>> /etc/unbound/unbound.conf:12: error: unknown keyword 'hoeba'
>>> /etc/unbound/unbound.conf:12: error: stray ':'
>>> /etc/unbound/unbound.conf:13: error: unknown keyword 'kek'
>>> /etc/unbound/unbound.conf:13: error: stray ':'
>>> /etc/unbound/unbound.conf:13: error: unknown keyword 'yes'
>>> read /etc/unbound/unbound.conf failed: 5 errors in configuration file
>>>
>>>
>>> Maybe you indentation is just wrong? To me this looks like
>>> 'tls-cert-bundle' is not properly place inside a "server:" block. 
>>> It's hard to see in your HTML-formatted email.
>>>
>>> Kind regards,
>>>     Tom
>>>
>>> On 03-04-19 00:25, rollingonchrome via Unbound-users wrote:
>>>> Thanks again, Yuri.
>>>>
>>>> I'm still having problems. As a reminder, I'm on Raspbian which only
>>>> has a 1.6.0 stable package.
>>>>
>>>> I downloaded and built the 1.9.1 source code from here:
>>>> http://www.unbound.net/downloads/unbound-1.9.1.tar.gz
>>>>
>>>> The build is verified as Version 1.9.1.
>>>>
>>>> It works fine (exactly as on 1.6.0 and 1.9.2) WITHOUT the
>>>> "tls-cert-bundle" keyword.
>>>>
>>>> With the "tls-cert-bundle" keyword, I continue to get this error and
>>>> nothing works. It appears that unbound doesn't recognize the
>>>> "tls-cert-bundle" keyword:
>>>>
>>>> pr  2 15:06:51 raspberrypi_pi-hole systemd[1]: Started Unbound DNS
>>>> server via resolvconf.
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: unknown
>>>> keyword 'tls-cert-bundle'
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray ':'
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray '"'
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: unknown
>>>> keyword '/etc/ssl/certs/ca-certificates.crt'
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]:
>>>> /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray '"'
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]: read
>>>> /etc/unbound/unbound.conf failed: 5 errors in configuration file
>>>> Apr  2 15:06:51 raspberrypi_pi-hole unbound[27172]: [1554242811]
>>>> unbound[27172:0] fatal error: Could not read config file:
>>>> /etc/unbound/unbound.conf
>>>>
>>>> Yuri yvoinov at gmail.com <http://gmail.com>
>>>> Tue Apr 2 21:43:19 CEST 2019
>>>> Previous message (by thread): TLS certificate question about Unbound
>>>> 1.9.2
>>>>
>>>> You're welcome :)
>>>>
>>>> And make sure you really installed built binaries.
>>>>
>>>>
-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190403/af32177e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190403/af32177e/attachment.bin>

More information about the Unbound-users mailing list