28 Říj
2021
28 Říj
'21
19:59
Dear all,
I am using knot-resolver for DNS over TLS (DoT) for a while now. So far
I let nginx handle the TLS part on port 853 and proxy the requests to
127.0.0.1:53. I wanted to simplify my setup and let knot-resolver do the
whole thing. But I am facing problems on my server (Debian Stable
Bullseye).
I can enable DoT on 853 successfully using without specifying certs but
I want to use my TLS certs created by certbot. Once I add the following
line kresd fails to start.
net.tls("/etc/letsencrypt/live/mdosch.de/fullchain.pem",
"/etc/letsencrypt/live/mdosch.de/privkey.pem")
Systemd shows me the following error:
Oct 28 19:49:41 v220191283267104968 systemd[1]:
Starting Knot Resolver daemon...
Oct 28 19:49:41 v220191283267104968 kresd[22488]: [tls]
gnutls_certificate_set_x509_key_file(/etc/letsencrypt/live/md>
Oct 28 19:49:41 v220191283267104968 kresd[22488]: [system] error while loading config:
error occurred here (config fi>
Oct 28 19:49:41 v220191283267104968 kresd[22488]: stack traceback:
Oct 28 19:49:41 v220191283267104968 kresd[22488]: [C]: in function 'tls'
Oct 28 19:49:41 v220191283267104968 kresd[22488]:
/etc/knot-resolver/kresd.conf:3: in main chunk
Oct 28 19:49:41 v220191283267104968 kresd[22488]: ERROR: Invalid argument (workdir
'/var/lib/knot-resolver')
Oct 28 19:49:41 v220191283267104968 systemd[1]: kresd(a)1.service: Main process exited,
code=exited, status=1/FAILURE
Oct 28 19:49:41 v220191283267104968 systemd[1]: kresd(a)1.service: Failed with result
'exit-code'.
Oct 28 19:49:41 v220191283267104968 systemd[1]: Failed to start Knot
Resolver daemon.
The files are world readable so I don't know what's going on:
ll /etc/letsencrypt/live/mdosch.de/
total 4.0K
-rw-r--r-- 1 certbot prosody 692 Jun 11 00:30 README
lrwxrwxrwx 1 root root 38 Oct 27 22:07 cert.pem ->
../../archive/mdosch.de-0003/cert9.pem
lrwxrwxrwx 1 root root 39 Oct 27 22:07 chain.pem ->
../../archive/mdosch.de-0003/chain9.pem
lrwxrwxrwx 1 root root 43 Oct 27 22:07 fullchain.pem ->
../../archive/mdosch.de-0003/fullchain9.pem
lrwxrwxrwx 1 root root 41 Oct 27 22:07 privkey.pem ->
../../archive/mdosch.de-0003/privkey9.pem
Also I don't understand why it complains about the workdir as I didn't
change anything regarding workdir but only pointed to the cert and key
file.
Do you have any idea what I am doing wrong?
Best regards,
Martin