I was willing to regenerate a new pair of keys for my unbound and pakfire stoped working.
How can can I get pakfire to work again with my new selfsign openssl pair?
Why did you do that?
You could do a restore from the backup you hopefully ran before creating the new keys and certs. That would restore back the previous keys and certs for both unbound-server and unbound-control.
I don’t know how pakfire interacts with the unbound certificates.
You would probably need to look through the pakfire code and see where and how it uses those certificates.
1 Like
The files
- unbound_server.key
- unbound_server.pem
- unbound_control.key
- unbound_control.pem
are created by the script unbound-control-setup which is probably run by unbound when it is first run and certain files, like these certs & keys, are not yet present.
Certainly the unbound-control-setup script creates those files if they are not present and does not recreate them if they are already present. The script ensures that all the required settings for those files is as unbound would be expecting them.
If you have manually run openssl to create the new keys/certs then unbound itself may not be happy with them. Have you checked that unbound is actually running.
I would suggest that your best bet is to leave unbound to create those keys/certs so restore from your backup to recover the original keys/certs.
1 Like
Self signed certificates lasts quite long. However… sometimes for creating a “before and after” condition the certificate renewal is a nice touch.
When a company changed the laptop fleet (15 laptops) OpenVPN server and clients certificates renewal was a “now no one can connect even if they retrieve the old files”.
Why did you do that?
Unbound can handle TLS-encrypted DNS messages, enabling DoH in Unbound is as simple as configuring the TLS certificate and the corresponding private key. I couldn’t find any private key in ssl/certs. So I thought to regenerate one.
The main goal is to make unbound inspect all 443 to avoid non-wanted pages or objects in pages that bypass unbound through doh
server:
interface: 127.0.0.1@443
tls-service-key: "key.pem"
tls-service-pem: "cert.pem"
https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html
So you didn’t regenerate a key and certs in unbound, you created new tls-service keys and cert that didn’t exist before. Then you added those config entries manually into the unbound.conf file.
The link you provided suggests that unbound requires the nghttp2 library to be able to use the http/2 framing layer that allows the DoH to work on top of any existing unbound tcp settings.
However the nghttp2 library is not installed in IPFire. So you would need to build yourself a custom IPFire build that also installed that library.
Whether additional changes wouldthen be needed in the rest of the IPFire code to make that DoH work, I have no idea.
1 Like
True, I did generated first a key (key.pem) for the existing cert.pem in /ssl which using modulus comparing didn’t match. So I created a pair to use and wrote it manually in unbound.config. which didn’t work, so I’m backing to original certs but pakfire stoped working (certificate issues).
The benefits worth the test, I suppose I’ll stop now since pakfire is unusable.
I have also found that as well as having nghttp2 installed in IPFire, unbound would then need to be built with the configure option of --with-libnghttp2 for unbound to be built so that it will actually use nghttp2.
There is an issue in the unbound github repo about configuring unbound to do DoH with nghttp2.
https://github.com/NLnetLabs/unbound/issues/445
So you would need to do a custom build of IPFire.
Unbound, as it is built in IPFire, does not enable nghttp2 (which is not installed anyway) and therefore DoH can’t work with unbound in its current installed form.
If you wanted to give it a go at building a custom version to see how to make it work the the wiki has info.
https://www.ipfire.org/docs/devel/ipfire-2-x/build-howto
3 Likes