Bugzilla – Bug 221
Starting unbound failes when ssl files are missing, but it does not report it
Last modified: 2008-12-09 10:35:09 CET
When starting unbound with "control-enable: yes" in the config file, but without (or with corrupt) ssl files in the specified locations, the command "unbound -c /etc/unbound/unbound.conf" returns 0, as if starting without issues.
The log file however states:
Dec 8 21:20:16 stella unbound: [18821:0] info: open syslog, startup in progress
Dec 8 21:20:16 stella unbound: [18821:0] warning: did not exit gracefully last time (32527)
Dec 8 21:20:16 stella unbound: [18822:0] notice: init module 0: validator
Dec 8 21:20:16 stella unbound: [18822:0] notice: init module 1: iterator
Dec 8 21:20:16 stella unbound: [18822:0] error: Error setting up SSL_CTX key and cert crypto error:02001002:system library:fopen:No such file or directory
Dec 8 21:20:16 stella unbound: [18822:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
Dec 8 21:20:16 stella unbound: [18822:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Dec 8 21:20:16 stella unbound: [18822:0] fatal error: Could not initialize main thread
This is tested with subversion trunk (rev 1383)
This is the error returned from OpenSSL.
It prints 'No such file or directory' in the errors.
Maybe I can print more for this error.
Thanks for the report,
Reading again, do you mean you would like unbound to exit with a failed exit code? It is not possible to detect all errors before daemonizing. However, this is why there is unbound-checkconf, that performs a lot of checks without starting the daemon yet. It is good practice to do x-checkconf before starting daemon x, also for apache and named, and so forth.
I note that unbound-checkconf does not check if the keyfiles exist. It reports no errors even though the key files are missing. This is something I can fix.
That's indeed what I saw as a problem, the SSL error in de logfile is pretty descriptive.
I already patched unbound-checkconf to check for the existance of the unbound_server.* files, but thought that unbound itself could report the failing startup itself.
This makes a new option 'status' (or 'running' in nsd analogy) for unbound-control useful (which I have currently implemented in bash using the return code of 'unbound-control stats'), that could be used to have a reliable check to see if unbound is actually running.
Fixed unbound checkconf.
The status command exists in the /etc/rc.d/init.d/unbound script (or /usr/local/etc/rc.d/unbound), but I'll keep that feature suggestion for unbound-control on the TODO, easy and could be useful.
svn trunk 1384 has the fix.