Having trouble with Unbound

Everything compiled and built okay, but the docs use Ubuntu. The packages I built with have different names than the ones specified in documentation, On Rocky they are openssl-devel and expat-devel. Ubuntu has libssl-dev and libexpat1-dev. So I’m getting TLS errors. I’m not sure if it’s a problem with those libraries, or that the default build doesn’t support TLS. I can’t find the default build settings.

Any help is greatly appreciated.

    ~ ······························································· jesse@theorionarm.xyz  ⬢ 16.14.0  21:41:45
❯ sudo systemctl status unbound
● unbound.service - Validating, recursive, and caching DNS resolver
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2022-04-16 23:15:51 EDT; 22h ago
     Docs: man:unbound(8)
  Process: 47206 ExecStart=/usr/local/sbin/unbound -d -p (code=exited, status=1/FAILURE)
 Main PID: 47206 (code=exited, status=1/FAILURE)

Apr 16 23:15:51 theorionarm.xyz systemd[1]: Starting Validating, recursive, and caching DNS resolver...
Apr 16 23:15:51 theorionarm.xyz unbound[47206]: Apr 16 23:15:51 unbound[47206:0] error: error for cert file: /home/jesse/keys/lego/certificates/_.theorionarm.xyz.pem
Apr 16 23:15:51 theorionarm.xyz unbound[47206]: Apr 16 23:15:51 unbound[47206:0] error: error in SSL_CTX use_certificate_chain_file crypto error:0200100D:system library:fopen:Permission denied
Apr 16 23:15:51 theorionarm.xyz unbound[47206]: Apr 16 23:15:51 unbound[47206:0] error: and additionally crypto error:20074002:BIO routines:file_ctrl:system lib
Apr 16 23:15:51 theorionarm.xyz unbound[47206]: Apr 16 23:15:51 unbound[47206:0] error: and additionally crypto error:140DC002:SSL routines:use_certificate_chain_file:system lib
Apr 16 23:15:51 theorionarm.xyz unbound[47206]: Apr 16 23:15:51 unbound[47206:0] fatal error: could not set up listen SSL_CTX
Apr 16 23:15:51 theorionarm.xyz systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Apr 16 23:15:51 theorionarm.xyz systemd[1]: unbound.service: Failed with result 'exit-code'.
Apr 16 23:15:51 theorionarm.xyz systemd[1]: Failed to start Validating, recursive, and caching DNS resolver.

Fedora(s) and CentOS Stream 8/9 seem to have unbound: RPM resource unbound

Therefore, I would take the src.rpm from Stream 8 and rebuild, rather than do a raw source build.

There was no reason to do a source build of unbound. dnf install unbound would’ve been sufficient. I would remove your source build and run dnf install unbound which will install it from the appstream repository.

Repo version is 1.7.3 from July 2018. I would be missing a lot of hardening and various additions.

Features, maybe, but Red Hat backports security fixes into their version. See

The “1.7.3” in Rocky is maintained, trivial to install, and functional. Your source build is none of those.

Honestly I did not know about the backporting. I will go ahead and give it a shot with the repo. Once I figure out how to uninstall the one I built.

The other reason I did it was simply because the Unbound website recommended it as the best installation method. Not always the case it seems.

Should I keep my systemd unit files, or will the package do it automatically?

Hi,

The package comes with its own systemd units, I would remove the ones you have created.

Thanks Tom.