No subject

Bastian Horn bastianhorn at gmail.com
Tue Dec 31 17:00:08 UTC 2019


Hi there,

i recently noticed that i get an error thrown by unbound which says it cant
verify the certificate (possibly the root ca?) for cloudflare. Quad9 works
like a charm.

[1063:0] error: ssl handshake failed crypto error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
[1063:0] notice: ssl handshake failed 1.1.1.1 port 853

i verified over at cloudflare community forum that my certs look good etc.
So now i try to verify that unbound works correctly.

My unbound.conf looks like this:

server:
    use-syslog: yes
    do-daemonize: no
    username: "unbound"
    directory: "/etc/unbound"

    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
    trust-anchor-file: trusted-key.key
    root-hints: root.hints

    interface:              127.0.0.1
    interface:              172.16.0.254
    interface:              172.17.0.254

    access-control:         127.0.0.1/32 allow
    access-control:         172.16.0.0/16 allow
    access-control:         172.17.0.0/16 allow

    do-ip4:                 yes
    do-ip6:                 no
    do-udp:                 yes
    do-tcp:                 yes

    verbosity:              1

    hide-identity:          yes
    hide-version:           yes

    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes

    prefetch: yes

    unwanted-reply-threshold: 10000

    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8

    private-domain: "local"
    local-zone:     "local" static

forward-zone:
    name:                   "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1 at 853#cloudflare
    forward-addr: 9.9.9.9 at 853#dns.quad9.net
    forward-addr: 1.0.0.1 at 853#cloudflare
    forward-addr: 146.185.167.43 at 853#SecureDNS.eu



this is the thread at cloudflare:
https://community.cloudflare.com/t/dns-over-tls-cant-verify-certificate/139530


Thank you for your help. I really appreciate it.

Greetings

Bastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20191231/c6cbed0c/attachment.htm>


More information about the Unbound-users mailing list