TLS certificate question about Unbound 1.9.2

rollingonchrome rollingonchrome at gmail.com
Thu Apr 4 17:35:34 UTC 2019 

Hi Wouter,

Thank you for taking a look at my config file.

Sorry for any confusion. I am running Unbound 1.9.1. That should support
the tls-cert-bundle option, correct?

I had initially tried my config file with 1.9.2, but at Yuri's suggestion,
I downgraded to the latest stable version, 1.9.1.

The tls-cert-bundle option did not work with either 1.9.2 or 1.9.1.

I am running Unbound compiled from source on a Raspberry Pi (Raspbian
Jessie).

I now think the problem may be in the OpenSSL version on Raspbian, which
only supports TLS 1.2.

Thank you for your help.

Best,

RoC

*Wouter Wijngaards* wouter at nlnetlabs.nl
<unbound-users%40nlnetlabs.nl?Subject=Re%3A%20TLS%20certificate%20question%20about%20Unbound%201.9.2&In-Reply-To=%3Caf5612a5-9698-4e0e-19d7-722013bcb885%40nlnetlabs.nl%3E>
*Thu Apr 4 09:04:46 CEST 2019*

Hi,

So this config file is fine, the tls-cert-bundle should work find with a
version of unbound that supports the options (eg. 1.9.2).  Like, for me,
it works.  I guess you downgraded and are now using an older version
that does not support the tls-cert-bundle option, so the unknown keyword
error is accurate?

Best regards, Wouter

On 4/3/19 7:52 PM, rollingonchrome via Unbound-users wrote:
>* Hello,
*> >* Thank you for the replies. I believe I have the tls-cert-bundle
*>* information correctly indented now. But, I am still getting the same
*>* errors as before about unknown keywords and strays.
*> >* It is indented like this:
*> >* server:
*>      >*       [a few lines omitted]
*>      >*      #Added for DoT
*>*      tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
*> >* Here is a link to my actual conf file if anyone would be willing to take
*>* a look:
*>* https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBg
<https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBg>
*> >* I've read that OpenSSL on Jessie doesn't support any TLS except 1.2, so
*>* I'm wondering if that might be this issue. Not sure what version of TLS
*>* Unbound 1.9.1 uses (I downgraded).
*> >* Thank you for your help.
*> >* Best,
*> >* RoC*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190404/f5411495/attachment.htm>

More information about the Unbound-users mailing list