No subject

Ralph Dolmans ralph at nlnetlabs.nl
Fri Jan 3 15:53:14 UTC 2020 

Hi Bastian,

The name after the "#" in your forward-addr should match the name on the
certificate returned by the configured forwarder. That is not the case
in your configuration. This should do the trick:

forward-addr: 1.1.1.1 at 853#one.one.one.one

-- Ralph

On 31-12-2019 18:00, Bastian Horn via unbound-users wrote:
> Hi there,
> 
> i recently noticed that i get an error thrown by unbound which says it
> cant verify the certificate (possibly the root ca?) for cloudflare.
> Quad9 works like a charm.
> 
> [1063:0] error: ssl handshake failed crypto error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> [1063:0] notice: ssl handshake failed 1.1.1.1 port 853
> 
> i verified over at cloudflare community forum that my certs look good
> etc. So now i try to verify that unbound works correctly.
> 
> My unbound.conf looks like this:
> 
> server:
>     use-syslog: yes
>     do-daemonize: no
>     username: "unbound"
>     directory: "/etc/unbound"
> 
>     tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
>     trust-anchor-file: trusted-key.key
>     root-hints: root.hints
> 
>     interface:              127.0.0.1
>     interface:              172.16.0.254
>     interface:              172.17.0.254
> 
>     access-control:         127.0.0.1/32 <http://127.0.0.1/32> allow
>     access-control:         172.16.0.0/16 <http://172.16.0.0/16> allow
>     access-control:         172.17.0.0/16 <http://172.17.0.0/16> allow
> 
>     do-ip4:                 yes
>     do-ip6:                 no
>     do-udp:                 yes
>     do-tcp:                 yes
> 
>     verbosity:              1
> 
>     hide-identity:          yes
>     hide-version:           yes
> 
>     harden-glue: yes
>     harden-dnssec-stripped: yes
>     use-caps-for-id: yes
> 
>     prefetch: yes
> 
>     unwanted-reply-threshold: 10000
> 
>     private-address: 192.168.0.0/16 <http://192.168.0.0/16>
>     private-address: 172.16.0.0/12 <http://172.16.0.0/12>
>     private-address: 10.0.0.0/8 <http://10.0.0.0/8>
> 
>     private-domain: "local"
>     local-zone:     "local" static
> 
> forward-zone:
>     name:                   "."
>     forward-tls-upstream: yes
>     forward-addr: 1.1.1.1 at 853#cloudflare
>     forward-addr: 9.9.9.9 at 853#dns.quad9.net <http://dns.quad9.net>
>     forward-addr: 1.0.0.1 at 853#cloudflare
>     forward-addr: 146.185.167.43 at 853#SecureDNS.eu
> 
> 
> 
> this is the thread at cloudflare:
> https://community.cloudflare.com/t/dns-over-tls-cant-verify-certificate/139530 
> 
> Thank you for your help. I really appreciate it.
> 
> Greetings
> 
> Bastian 
> 
> 
> _______________________________________________
> unbound-users mailing list
> unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>

More information about the Unbound-users mailing list