Bug 221 - Starting unbound failes when ssl files are missing, but it does not report it
Starting unbound failes when ssl files are missing, but it does not report it
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.1.1
Other Linux
: P2 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-08 21:43 CET by Tom Hendrikx
Modified: 2008-12-09 10:35 CET (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Hendrikx 2008-12-08 21:43:04 CET
When starting unbound with "control-enable: yes" in the config file, but without (or with corrupt) ssl files in the specified locations, the command "unbound -c /etc/unbound/unbound.conf" returns 0, as if starting without issues.

The log file however states:

Dec  8 21:20:16 stella unbound: [18821:0] info: open syslog, startup in progress
Dec  8 21:20:16 stella unbound: [18821:0] warning: did not exit gracefully last time (32527)
Dec  8 21:20:16 stella unbound: [18822:0] notice: init module 0: validator
Dec  8 21:20:16 stella unbound: [18822:0] notice: init module 1: iterator
Dec  8 21:20:16 stella unbound: [18822:0] error: Error setting up SSL_CTX key and cert crypto error:02001002:system library:fopen:No such file or directory
Dec  8 21:20:16 stella unbound: [18822:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Dec  8 21:20:16 stella unbound: [18822:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Dec  8 21:20:16 stella unbound: [18822:0] fatal error: Could not initialize main thread

This is tested with subversion trunk (rev 1383)
Comment 1 Wouter Wijngaards 2008-12-09 08:56:20 CET
This is the error returned from OpenSSL.
It prints 'No such file or directory' in the errors.

Maybe I can print more for this error.

Thanks for the report,
   Wouter
Comment 2 Wouter Wijngaards 2008-12-09 10:01:25 CET
Reading again, do you mean you would like unbound to exit with a failed exit code? It is not possible to detect all errors before daemonizing. However, this is why there is unbound-checkconf, that performs a lot of checks without starting the daemon yet. It is good practice to do x-checkconf before starting daemon x, also for apache and named, and so forth.

I note that unbound-checkconf does not check if the keyfiles exist. It reports no errors even though the key files are missing. This is something I can fix.

Best regards,
   Wouter
Comment 3 Tom Hendrikx 2008-12-09 10:25:01 CET
That's indeed what I saw as a problem, the SSL error in de logfile is pretty descriptive.

I already patched unbound-checkconf to check for the existance of the unbound_server.* files, but thought that unbound itself could report the failing startup itself.

This makes a new option 'status' (or 'running' in nsd analogy) for unbound-control useful (which I have currently implemented in bash using the return code of 'unbound-control stats'), that could be used to have a reliable check to see if unbound is actually running.
Comment 4 Wouter Wijngaards 2008-12-09 10:35:09 CET
Fixed unbound checkconf.

The status command exists in the /etc/rc.d/init.d/unbound script (or /usr/local/etc/rc.d/unbound), but I'll keep that feature suggestion for unbound-control on the TODO, easy and could be useful.

svn trunk 1384 has the fix.

Best regards,
   Wouter