[SOLVED] Unbound TLS Error: ssl handshake failed crypto

Hi,
I'm running Open WRT 19.07 on my TP-Link Archer C7 v2 router.
I was testing Unbound TLS using the Adult filters from CleanBrowsing using the DNS values found on this page: https://cleanbrowsing.org/guides/dnsovertls

Domain: : adult-filter-dns.cleanbrowsing.org
IPv4 address : 185.228.168.10:853 and 185.228.169.11:853
IPv6 address : [2a0d:2a00:1::1]:853 and [2a0d:2a00:2::1]:853

Everything appears to be functioning properly using their default free filters.

Now I decided to pay for their services in order to get some advance tracking/filtering.
I was given specific DNS Addresses to use along with a specific TLS domain to validate.

Whenever I switch this ZONE on I get these errors:

Thu Jan 23 19:38:17 2020 daemon.err unbound: [20207:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu Jan 23 19:38:17 2020 daemon.notice unbound: [20207:0] notice: ssl handshake failed 185.228.XXX.XXX port 853
Thu Jan 23 19:38:18 2020 daemon.err unbound: [20207:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu Jan 23 19:38:18 2020 daemon.notice unbound: [20207:0] notice: ssl handshake failed 185.228.XXX.XXZ port 853
Thu Jan 23 19:38:33 2020 daemon.err unbound: [20207:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu Jan 23 19:38:33 2020 daemon.notice unbound: [20207:0] notice: ssl handshake failed 185.228.XXX.XXZ port 853

I do have the ca-bundle installed. I've tried disabling this new ZONE and tried using Quad9 and 1.1.1.1's TLS servers and they appear to be functioning properly with no errors.

I've emailed support at cleanbrowsing and they have yet to determine what the issue could be.

The ONLY thing I was able to find by searching was this page: https://forum.opnsense.org/index.php?topic=11939.0 where it states you can use: tls-cert-bundle: /etc/ssl/cert.pem in your unbound_srv.conf file. So I tried adding that line and yet it seems unbound is still using the default cert found here: tls-cert-bundle: /var/lib/unbound/ca-certificates.crt

Here's my show unbound.conf file generated by UCI when using the free Adult filters from CleanBrowsing:

# /var/lib/unbound/unbound.conf generated by UCI 2020-01-24T10:51:14-0500
# /var/lib/unbound/server.conf.tmp generated by UCI 2020-01-24T10:51:13-0500
server:
  username: unbound
  chroot: /var/lib/unbound
  directory: /var/lib/unbound
  pidfile: /var/run/unbound.pid
  tls-cert-bundle: /var/lib/unbound/ca-certificates.crt

  num-threads: 1
  msg-cache-slabs: 1
  rrset-cache-slabs: 1
  infra-cache-slabs: 1
  key-cache-slabs: 1

  use-syslog: yes
  statistics-interval: 0
  statistics-cumulative: no
  verbosity: 1
  extended-statistics: yes

  edns-buffer-size: 1280
  port: 53
  outgoing-port-permit: 10240-65535
  interface: 0.0.0.0
  interface: ::0
  outgoing-interface: 0.0.0.0
  do-ip4: yes
  do-ip6: yes

  harden-short-bufsize: yes
  harden-large-queries: yes
  harden-glue: yes
  use-caps-for-id: no

  msg-buffer-size: 8192
  outgoing-range: 64
  num-queries-per-thread: 32
  outgoing-num-tcp: 2
  incoming-num-tcp: 2
  rrset-cache-size: 256k
  msg-cache-size: 128k
  key-cache-size: 128k
  neg-cache-size: 64k
  infra-cache-numhosts: 256

  module-config: "iterator"

  cache-min-ttl: 120
  cache-max-ttl: 72000
  val-bogus-ttl: 300
  infra-host-ttl: 900

  hide-identity: yes
  hide-version: yes

  private-address: 10.0.0.0/8
  private-address: 100.64.0.0/10
  private-address: 169.254.0.0/16
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: fc00::/7
  private-address: fe80::/10

  access-control: 0.0.0.0/0 allow
  access-control: ::0/0 allow

# /var/lib/unbound/host.conf.tmp generated by UCI 2020-01-24T10:51:13-0500
# Local zone is handled by dnsmasq

# /var/lib/unbound/dnsmasq_srv.conf.tmp generated by UCI 2020-01-24T10:51:14-0500
  do-not-query-localhost: no

  domain-insecure: myhomenetworkdomainname.ca
  private-domain: myhomenetworkdomainname.ca
  local-zone: myhomenetworkdomainname.ca transparent

  domain-insecure: 57.168.192.in-addr.arpa
  private-domain: 57.168.192.in-addr.arpa
  local-zone: 57.168.192.in-addr.arpa transparent

  domain-insecure: 0.0.0.9.2.3.a.3.4.4.f.7.0.d.f.ip6.arpa
  private-domain: 0.0.0.9.2.3.a.3.4.4.f.7.0.d.f.ip6.arpa
  local-zone: 0.0.0.9.2.3.a.3.4.4.f.7.0.d.f.ip6.arpa transparent

include: /var/lib/unbound/adb_list.*

include: /var/lib/unbound/unbound_srv.conf

# /var/lib/unbound/zone.conf.tmp generated by UCI 2020-01-24T10:51:13-0500
forward-zone:
  name: .
  forward-addr: 185.228.168.10@853#adult-filter-dns.cleanbrowsing.org
  forward-addr: 185.228.169.11@853#adult-filter-dns.cleanbrowsing.org
  forward-first: no
  forward-tls-upstream: yes

# /var/lib/unbound/ctrl.conf.tmp generated by UCI 2020-01-24T10:51:14-0500
remote-control:
  control-enable: yes
  control-use-cert: no
  control-interface: 127.0.0.1
  control-interface: ::1

# /var/lib/unbound/dnsmasq_ext.conf.tmp generated by UCI 2020-01-24T10:51:14-0500
forward-zone:
  name: myhomenetworkdomainname.ca
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: 57.168.192.in-addr.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: 0.0.0.9.2.3.a.3.4.4.f.7.0.d.f.ip6.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

include: /var/lib/unbound/unbound_ext.conf

So I'm completely stumped as to why this isn't working!

Any help/advise would be greatly appreciated!

Thanks

It is apparently an issue with the certificate provided by the remote server

gnutls-cli -V -p 853 185.228.169.11
gnutls-cli -V -p 853 185.228.169.10

printing

-Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

ahhh there we go! That would make sense!

I tested that same query you provided on other providers IP: 1.1.1.1 and 9.9.9.9 and they both came up with no errors!

I even tried that query on the TLS domain names for each and got no errors:

Status: The certificate is trusted.

I was told by CleanBrowsing I had to use this TLS domain: customXXXXXXXXXXXXXX.dot.cleanbrowsing.org

When I query that name I get:

gnutls-cli -V -p 853 customXXXXXXXXXXXXXX.dot.cleanbrowsing.org 
- Status: The certificate is trusted.

If I try it with the IP address of that domain I get a certificate error:

gnutls-cli -V -p 853 185.228.168.199

  • Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
    *** PKI verification of server certificate failed...
    *** Fatal error: Error in the certificate.

Could it be that unbound is not resolving the TLS domain name initially or simply ignoring the TLS domain being specified?

I did try adding customXXXXXXXXXXXXXX.dot.cleanbrowsing.org in my /etc/hosts file along with it's ip to see if that would make a different... it didn't :frowning:

edit: when I do enable to paid CleanBrowsing DNS TLS servers I'm unable to resolve anything, including on my router itself.

Thanks!

I see, just tested with one of their other servers

gnutls-cli -V -p 853 security-filter-dns.cleanbrowsing.org

which is ok, but

gnutls-cli -V -p 853 185.228.168.9

prints the same error.


openssl s_client -connect adult-filter-dns.cleanbrowsing.org:853 -status

turns out ok as well does

ncat --ssl -v adult-filter-dns.cleanbrowsing.org 853

Then it would be expected to work with unbound, strange/odd that it does not however.


What is the output of unbound -V?

If you set the verbosity level for unbound logs to verbosity: 7 you might get more details on the error, just be aware it will will print loads of stuff.


This thread citing the same issue mentions

Is the node's clock properly synchronised?

Here's the info you requested:

unbound -V
Version 1.9.6

Configure line: --target=mips-openwrt-linux --host=mips-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls --disable-dsa --disable-gost --enable-allsymbols --enable-ecdsa --enable-tfo-client --enable-tfo-server --with-libexpat=/builder/shared-workdir/build/sdk/staging_dir/target-mips_24kc_musl/usr --with-ssl=/builder/shared-workdir/build/sdk/staging_dir/target-mips_24kc_musl/usr --with-user=unbound --with-run-dir=/var/lib/unbound --with-conf-file=/var/lib/unbound/unbound.conf --with-pidfile=/var/run/unbound.pid --with-pthreads --with-libevent=/builder/shared-workdir/build/sdk/staging_dir/target-mips_24kc_musl/usr --enable-event-api
Linked libs: pluggable-libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1d  10 Sep 2019
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Here's the LOG (I created a test PROFILE so those DNS/DOMAIN values will change whenever I figure this out):

Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: the query is using TLS encryption, for customXXXXXXXXXXXXX.dot.cleanbrowsing.org
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: comm point start listening 16 (-1 msec)
Fri Jan 24 14:11:18 2020 daemon.err unbound: [15727:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 24 14:11:18 2020 daemon.notice unbound: [15727:0] notice: ssl handshake failed ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: close fd 15
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: outnettcp cb
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: outnettcp got tcp error -1
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: tcp error for address ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: svcd callbacks start
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: worker svcd callback for qstate 0x621ce0
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: mesh_run: start
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_noreply
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: iterator operate: query api.onedrive.com. A IN
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: process_response: new external response event
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: query response was timeout
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: processQueryTargets: api.onedrive.com. A IN
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: DelegationPoint<.>: 0 names (0 missing), 2 addrs (2 result, 0 avail) parentNS
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug:   [customXXXXXXXXXXXXX.dot.cleanbrowsing.org] ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug:   [customXXXXXXXXXXXXX.dot.cleanbrowsing.org] ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: attempt to get extra 3 targets
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: servselect ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug:    rtt=752
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: servselect ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug:    rtt=752
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: selrtt 752
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: sending query: api.onedrive.com. A IN
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: sending to target: <.> 185.228.XXX.XXX#853
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: dnssec status: not expected
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: mesh_run: iterator module exit state is module_wait_reply
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: mesh_run: end 4 recursion states (4 with reply, 0 detached), 4 waiting replies, 2 recursion replies sent, 0 replies dropped, 0 states jostled out
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: average recursion processing time 0.205317 sec
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: histogram of recursion processing times
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: [25%]=0 median[50%]=0 [75%]=0
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: lower(secs) upper(secs) recursions
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info:    0.131072    0.262144 2
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: 0RDd mod0 rep 0.ciscosb.pool.ntp.org. A IN
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: 1RDd mod0 rep api.onedrive.com. A IN
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: 2RDd mod0 rep smtp-mail.outlook.com. A IN
Fri Jan 24 14:11:18 2020 daemon.info unbound: [15727:0] info: 3RDd mod0 rep api.onedrive.com. AAAA IN
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: cache memory msg=8552 rrset=8272 infra=3657 val=0
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: svcd callbacks end
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: the query is using TLS encryption, for customXXXXXXXXXXXXX.dot.cleanbrowsing.org
Fri Jan 24 14:11:18 2020 daemon.debug unbound: [15727:0] debug: comm point start listening 15 (-1 msec)
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: comm point listen_for_rw 16 0
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: comm point listen_for_rw 15 0
Fri Jan 24 14:11:19 2020 daemon.err unbound: [15727:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Jan 24 14:11:19 2020 daemon.notice unbound: [15727:0] notice: ssl handshake failed ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: close fd 16
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: outnettcp cb
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: outnettcp got tcp error -1
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: tcp error for address ip4 185.228.XXX.XXX port 853 (len 16)
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: svcd callbacks start
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: worker svcd callback for qstate 0x60dc90
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: mesh_run: start
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_noreply
Fri Jan 24 14:11:19 2020 daemon.info unbound: [15727:0] info: iterator operate: query 0.ciscosb.pool.ntp.org. A IN
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: process_response: new external response event
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: query response was timeout
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Fri Jan 24 14:11:19 2020 daemon.info unbound: [15727:0] info: processQueryTargets: 0.ciscosb.pool.ntp.org. A IN
Fri Jan 24 14:11:19 2020 daemon.debug unbound: [15727:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1

I ran a few more tests to see what I'd get:

on the free adult filter:

gnutls-cli -V -p 853 --verify-hostname=adult-filter-dns.cleanbrowsing.org 185.228.168.10

Status: The certificate is trusted.

and

gnutls-cli -V -p 853 --verify-hostname=one.one.one.one 1.1.1.1

the results:

- Status: The certificate is trusted.

weird wild stuff

I'm using these ntp servers to sync my time/date:

https://www.pool.ntp.org/zone/ca

Not that it helps your end but just tested on my node where the issue does not exhibit however.

debug log

unbound[7729:0] debug: sending to target: <.> 185.228.168.10#853
unbound[7729:0] debug: the query is using TLS encryption, for adult-filter-dns.cleanbrowsing.org
unbound[7729:0] debug: peer certificate: 
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Aug 10 21:34:07 2018 GMT
            Not After : Aug 10 21:34:07 2020 GMT
        Subject: OU=Domain Control Validated, CN=*.cleanbrowsing.org
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.godaddy.com/gdig2s1-856.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier: 
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name: 
                DNS:*.cleanbrowsing.org, DNS:cleanbrowsing.org
            X509v3 Subject Key Identifier: 
                10:DF:78:1D:A3:29:D3:C8:F0:A6:9A:6E:0E:E8:C3:CE:01:C6:FA:0C
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                    Timestamp : Aug 10 21:34:51.518 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:83:79:1E:80:5C:8D:58:46:F4:E2:C2:
                                09:04:CF:60:53:53:9B:4F:36:0A:A6:60:DF:77:25:78:
                                6C:0F:56:27:9F:02:21:00:B8:34:8B:D6:65:04:49:03:
                                72:2C:03:7F:69:46:71:1A:F5:1C:54:A3:22:23:E2:22:
                                01:56:23:18:02:4F:E3:CB
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
                                A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
                    Timestamp : Aug 10 21:34:52.826 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:74:E1:BF:23:B7:11:02:55:D7:3B:20:19:
                                5A:58:31:79:01:D7:8E:84:0E:7A:74:BF:67:BC:8A:BB:
                                ED:D8:A2:34:02:21:00:A1:43:A0:F3:6A:87:22:82:3C:
                                7D:09:1F:4B:74:C5:1A:FE:9C:92:02:59:20:BC:D0:DC:
                                35:07:F5:10:7E:1F:6A
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                    Timestamp : Aug 10 21:34:53.019 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:BF:6E:35:3F:42:49:91:70:7E:45:EE:
                                2C:F7:0F:78:43:3E:91:57:5D:24:87:41:64:4A:2B:1F:
                                1D:50:0D:1A:35:02:21:00:9D:26:89:C3:36:5B:D7:1C:
                                86:78:12:AC:91:CD:C3:18:7D:21:84:23:53:FC:83:5E:
                                CD:7A:C0:A1:77:4B:45:D5

unbound[7729:0] debug: SSL connection to *.cleanbrowsing.org authenticated ip4 185.228.168.10 port 853 (len 16)

Your debug log unfortunately does not yield more insight.


That is fine, just make sure the node is actually synchronised and not by chance being out of sync - just to rule out as potential cause.


And then try

openssl s_client -CApath /var/lib/unbound -connect adult-filter-dns.cleanbrowsing.org:853 -status

and for comparison

openssl s_client -CApath /etc/ssl/certs -connect adult-filter-dns.cleanbrowsing.org:853 -status

I don't get any errors when I use their FREE Adult TLS DNS. My issue is when I'm trying to use the paid TLS DNS servers they have configured for my account specifically.

date
Fri Jan 24 15:09:01 EST 2020

output of: openssl s_client -CApath /var/lib/unbound -connect adult-filter-dns.cleanbrowsing.org:853 -status

openssl s_client -CApath /var/lib/unbound -connect adult-filter-dns.cleanbrowsing.org:853 -status
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.cleanbrowsing.org
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.cleanbrowsing.org
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGwzCCBaugAwIBAgIJAKeWQyCeW3i4MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MDgxMDIxMzQwN1oX
DTIwMDgxMDIxMzQwN1owQTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRwwGgYDVQQDDBMqLmNsZWFuYnJvd3Npbmcub3JnMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEApM72exOeLQcq9x5y4HIdRGLnv5ffykkVIrqqGXyv
zLdxY6oSR3EZ8UviWJFx6f7XSbJz8/t0ESVgsIKAqPFUXXlZ9JJRO1AU+TeMbMbv
LEAIzZ3xJ+O4xYPMmENfsYjd9UzQJ0QwwNn4Ae3WPKN1trG6SMsq/muPrpE7YrXy
Kc+b6+YMl4VXIi078CnZ3fUSOqdTUc/qdrMHKjWtrBf62obmQBF/8xpnvdOYeIa+
tC/dhhaYBmEXpg7RbOj4u5if3naKgchXz1PKsm5jCrgElRFAJowlUVdSSmjNnyAI
vhIMFGYOEiVCU6bLO0Mf+90kpPaxh7S9Wa/jYNrftBRoNwIDAQABo4IDSDCCA0Qw
DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
VR0PAQH/BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRk
eS5jb20vZ2RpZzJzMS04NTYuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEw
OTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9y
ZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9j
ZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYD
VR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wMQYDVR0RBCowKIITKi5jbGVh
bmJyb3dzaW5nLm9yZ4IRY2xlYW5icm93c2luZy5vcmcwHQYDVR0OBBYEFBDfeB2j
KdPI8Kaabg7ow84BxvoMMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwCkuQmQ
tBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWUlw3Z+AAAEAwBIMEYCIQCD
eR6AXI1YRvTiwgkEz2BTU5tPNgqmYN93JXhsD1YnnwIhALg0i9ZlBEkDciwDf2lG
cRr1HFSjIiPiIgFWIxgCT+PLAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7
iXqo/csAAAFlJcN7mgAABAMARzBFAiB04b8jtxECVdc7IBlaWDF5AdeOhA56dL9n
vIq77diiNAIhAKFDoPNqhyKCPH0JH0t0xRr+nJICWSC80Nw1B/UQfh9qAHcAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFlJcN8WwAABAMASDBGAiEA
v241P0JJkXB+Re4s9w94Qz6RV10kh0FkSisfHVANGjUCIQCdJonDNlvXHIZ4EqyR
zcMYfSGEI1P8g17NesChd0tF1TANBgkqhkiG9w0BAQsFAAOCAQEAs2AFNDG3I7Rv
p09ELIXL4xC5XeGdkDAQOdLxG9um3z8wmdtU3vrPbs4FugJelQgC6XCFh36ug5cP
BUqtvuKdP+S6Hs5DAqGk0xiscSMbei45cTA+1oWnZarefkxml6B7bBw/KpaBb5s9
RlAcA19SOfhWtcoLi8VY1r8pF0ozCgLTkSr16iFLItcYwPDrtmcMGh2tIyUxwspR
BToVtLJQfBHvaqlwJ5nblQn29+lbfAIzKoyJ+3QrOUoaMKQchSmJ3zBJrr8k6ETO
peW3JlruHPLnpCIRKctzV63GjAkGAxsViiA36Fa4ZVM5mExvyq3bnUdkoVA12v5c
oFxjsQxy8A==
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = *.cleanbrowsing.org

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6135 bytes and written 463 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: A250C57838A0F287112221FA3DCA539CF54840EC617FA80223547BD10B33D352
    Session-ID-ctx:
    Master-Key: 2E058B69ECBA4FDB9816623ADE500C76C19519B0C1FBCF75A506059A6C16B90EA75D200DDED48E03F46F728A8249E517
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - a9 a2 86 87 6c d9 29 85-95 60 02 cf 8f cf 3a 08   ....l.)..`....:.
    0010 - 52 4e 2b 5e e2 fe eb ca-6c 91 e0 16 cf e6 0b 73   RN+^....l......s
    0020 - 01 90 70 83 ad 59 ff 4e-3a 3c d8 fa 70 1b 52 2b   ..p..Y.N:<..p.R+
    0030 - cf 67 4b 6a fb 68 41 67-2e f8 82 e8 8b fd 42 ff   .gKj.hAg......B.
    0040 - 45 15 03 fa 44 3f 79 fe-cb 9c b2 03 ea 3e 6e 94   E...D?y......>n.
    0050 - 91 cb de e8 e9 fe 0b 8f-21 fe 36 2e e2 70 f1 9a   ........!.6..p..
    0060 - d7 97 30 ef ae 4a 1d a0-1d 47 0b c3 33 6f 41 25   ..0..J...G..3oA%
    0070 - 30 fd c4 07 53 ec 68 be-a8 0a 48 e9 50 14 b9 06   0...S.h...H.P...
    0080 - 2d d9 96 c1 88 48 79 c7-40 77 78 12 6f 97 04 d6   -....Hy.@wx.o...
    0090 - f2 a2 0d a2 4d 81 47 1d-0a 43 cb 84 2c 79 ed bf   ....M.G..C..,y..
    00a0 - 82 c8 4a b0 d2 04 1b d2-45 ee 3f aa 7e b0 77 82   ..J.....E.?.~.w.
    00b0 - f6 ff 26 14 60 36 f7 76-49 28 3e a6 2b 53 54 63   ..&.`6.vI(>.+STc
    00c0 - b9 92 d1 f7 5e a9 d5 9a-aa b5 70 a2 2c bd c2 7d   ....^.....p.,..}
    00d0 - 9e 48 8c ad 11 ef 81 2f-a1 d6 90 20 93 c8 57 4b   .H...../... ..WK
    00e0 - e0 5b cd e8 56 a8 fd 20-57 ca 48 1c a3 a4 e9 ca   .[..V.. W.H.....
    00f0 - ee 31 e1 c7 b8 f7 1e 08-98 eb cb a7 bd 56 a3 a1   .1...........V..
    0100 - ea b5 96 78 05 c9 2d c1-fa 40 d1 b6 62 3e 9b 2a   ...x..-..@..b>.*
    0110 - 2b 31 ff 94 5e 08 4f 21-e0 9e 30 4e b3 69 80 ac   +1..^.O!..0N.i..
    0120 - 5d cd a7 60 a0 4c 59 e0-c6 32 e6 50 eb a0 a9 e3   ]..`.LY..2.P....
    0130 - 65 f8 30 21 dd 7b 12 fb-b1 0d 79 2e 8e 72 6b fd   e.0!.{....y..rk.
    0140 - b7 ff e0 20 48 ca cd a1-33 1c 10 8d ee 9c 32 a5   ... H...3.....2.
    0150 - f5 41 70 42 2a 1f fb dd-94 c3 44 b4 bf 7d 1f 0c   .ApB*.....D..}..
    0160 - b4 ed 61 44 c3 d3 bf 67-e6 51 16 f1 be 8b 15 e8   ..aD...g.Q......
    0170 - 7e 7c 36 c1 84 9d 31 1d-21 b2 fe cb 72 2a 8b 51   ~|6...1.!...r*.Q
    0180 - 76 46 34 28 e7 89 03 bb-43 37 54 e9 62 7d 2e fd   vF4(....C7T.b}..
    0190 - fe 5a c9 48 fa 44 dc fe-64 f8 2d 12 81 92 a6 69   .Z.H.D..d.-....i
    01a0 - 80 51 fc 1f b4 07 ee 92-f4 fa e2 bb 54 d4 cc cf   .Q..........T...
    01b0 - 03 a2 bd 30 3a 18 68 da-2a 9f c9 e4 a3 53 00 45   ...0:.h.*....S.E
    01c0 - 56 d8 7f e1 bf 66                                 V....f

    Start Time: 1579896402
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
closed

output using the TLS domain for my paid service:

openssl s_client -CApath /var/lib/unbound -connect customXXXXXXXXXXXXXX.dot.cleanbrowsing.org:853 -status
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.dot.cleanbrowsing.org
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.dot.cleanbrowsing.org
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGyzCCBbOgAwIBAgIIOLa4mD+XluowDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwMTE1MDAwNDE0WhcN
MjIwMTE1MDAwNDE0WjBFMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxIDAeBgNVBAMMFyouZG90LmNsZWFuYnJvd3Npbmcub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSVW1l+dfNPFWeqsB1hPcLCaMMhFEbeo7opX
GcOKWY4tCFGSv4P1or2vRCUn/TsnesVumf/rzZDYjuAaco7EM7qqg6N3jYI93r2j
xnzBgVMZVJshF/fDZtMSPuGqY0E/b9xnoBxqjHTygZ+2+2Qzqtfr3Qt8teuUoZOv
ucrFqKm5Vsl6dB5qsf895ZVTQ0sZQB9SS/ztaZNRC4KBNI28Zxlad+fkqbcMlz0U
oimpNC4E4opRYTCMntNt4mwGsoLytkaPFVkau2Z1/wYpRM58NPRaqna+jTGBLz87
1sM3XmiCapL48TApeUZtk0tFd2ve3gq2enIUz23bXgpYQZ+v7QIDAQABo4IDTTCC
A0kwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29k
YWRkeS5jb20vZ2RpZzJzMS0xNjQ2LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0B
BxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
b20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRw
Oi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0
MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFyou
ZG90LmNsZWFuYnJvd3Npbmcub3JnghVkb3QuY2xlYW5icm93c2luZy5vcmcwHQYD
VR0OBBYEFPZvn/v9UV4RKsbGwWyO5o/FGVuHMIIBfAYKKwYBBAHWeQIEAgSCAWwE
ggFoAWYAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAW+mg9iv
AAAEAwBGMEQCIEVEc6+lx3qgpIAnRb43Wpy7gWKJc/z9Mc1PBUjHzCbGAiB9SmCa
CN5L4UAemaVfUdbuE14eu9g5AsWwwXJJviVd7gB1AO5Lvbd1zmC64UJpH6vhnmaj
D35fsHLYgwDEe4l6qP3LAAABb6aD3U4AAAQDAEYwRAIgDKZnDZgyOh+NZE4t5rV2
yuYRGjYyLFpC7MzYyE7v0qcCIDjlyUPhHmVkGrZWPFf34ivJCtvb5brPRLK1bI+e
6q3cAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFvpoPe9gAA
BAMARzBFAiEAlhpMQs9NbY2rSn7ooE0WDHS/QgjwhiE212cBs5oWtM4CIFgsO+8C
ubr05L0AI4rReHhB067tMunIpKppAcsW3ZF8MA0GCSqGSIb3DQEBCwUAA4IBAQCG
EKXT7bXtSfb8O9OWmaYFm2Lc14wMFGnv4CkrdwcT0een5ZfpY7+WdI7L4OGMVX0E
0j8BtSD8LHEq6dsgQ/zJAQZVdhUa9tEjYDjXy6zTjJKBw+xlnGHzhTQZXgQicM6t
oeWRoZnY49H5tzEEQ1bPG/qMepXkcYTTq7SuyyeHINAgpxRA+vF9XraRDsgcKI9V
fsplI52HI8pzf1FxjS6n4ozqutQXuS4HQKhs5lPIeVzt6GIQO5BerM/uC1fJm30P
wTHKVgZw8lueUKqnec6/NDcBxTRC1mfXcOP1IEl/2jqXOLZbl8S9eAYxDH9esEgo
RlaP5I0svCbqnZ7u32RI
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = *.dot.cleanbrowsing.org

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6143 bytes and written 473 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: CE55277BDDABE28D38742D43A3F9FA43B42B3388986D4A1FB5553CD74A0FD805
    Session-ID-ctx:
    Master-Key: D7BB7C2B3F3D9CF4654FA054B06EC100E9FCAAECFB86F2A687B8DDB1AF4DCE3AA72AD2D74BC09C89A4CBE7692855160A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - cd 9b a9 37 3d 52 8d aa-57 35 bd 42 6b 75 08 15   ...7=R..W5.Bku..
    0010 - 82 4f 2b 5e 4b 1a a4 04-65 2b 64 5f c3 f6 7e 12   .O+^K...e+d_..~.
    0020 - 01 90 70 54 cf 96 7f 53-47 18 87 94 c1 80 00 1b   ..pT...SG.......
    0030 - fc 03 26 76 f2 8c 2b 02-aa 5f 63 96 fb 4c 49 44   ..&v..+.._c..LID
    0040 - c6 41 13 47 ee 16 e6 d4-3a a6 e9 1b d1 70 a8 80   .A.G....:....p..
    0050 - 4b e0 73 de 8b 25 0f a4-34 5b 34 05 66 b0 d1 15   K.s..%..4[4.f...
    0060 - f9 e0 14 27 ed 3e fc 04-b4 58 65 83 d9 4c 39 6b   ...'.>...Xe..L9k
    0070 - c0 0b a4 7f 3e f5 ea 86-c3 8d 5f 22 a9 e5 fe b6   ....>....._"....
    0080 - 48 b6 2a 16 3c cf d5 51-d7 88 1f da 64 cb ac 60   H.*.<..Q....d..`
    0090 - fd d2 4e f8 c2 4a 0a 1b-42 46 11 1d 05 d9 f1 68   ..N..J..BF.....h
    00a0 - 35 36 72 ce 06 d8 c3 f8-e3 f5 a3 12 77 b6 78 d5   56r.........w.x.
    00b0 - 87 34 75 dd d8 cd 55 c0-0c ff 45 29 e1 1b b6 25   .4u...U...E)...%
    00c0 - 38 1c 07 9e f6 43 1d ff-ed 74 7c 4f 2b 10 90 1a   8....C...t|O+...
    00d0 - 44 80 ff b9 6f 66 10 2f-80 2f 03 df 1c fa 50 fd   D...of././....P.
    00e0 - da 5f a1 06 65 a3 05 44-70 be ab c8 4e f6 2d 47   ._..e..Dp...N.-G
    00f0 - bd 97 ba 0e d3 a5 4f d3-9c d2 fb f2 47 8d f3 9a   ......O.....G...
    0100 - 42 c8 72 f5 c0 70 43 95-ec 1e 5d b1 ca 93 9e ae   B.r..pC...].....
    0110 - 20 83 a6 af 38 1a e5 43-d5 67 34 23 da 50 ce 01    ...8..C.g4#.P..
    0120 - 74 59 ef 51 24 6d 93 54-b6 ce bd c7 eb 26 b2 8c   tY.Q$m.T.....&..
    0130 - 71 dc 16 75 b4 92 be 73-10 35 62 a9 a7 f4 f5 1f   q..u...s.5b.....
    0140 - 47 8a 56 eb a4 ed 66 07-4b a5 99 04 d3 08 a8 83   G.V...f.K.......
    0150 - f0 92 3c 89 63 0b 45 3a-4a 95 44 43 c3 48 5d a6   ..<.c.E:J.DC.H].
    0160 - 82 12 51 7a 3d 8c 47 8c-63 c4 05 65 8c a8 50 92   ..Qz=.G.c..e..P.
    0170 - 9f 6d e5 4e 0e c8 b2 86-c3 26 d1 61 0d 4b 3a 54   .m.N.....&.a.K:T
    0180 - 8f 99 af a3 d3 f4 a3 d1-eb 65 be eb 47 be f6 f8   .........e..G...
    0190 - cb 4f d4 b6 67 cd 10 ea-69 23 c6 96 e0 18 a4 69   .O..g...i#.....i
    01a0 - 2e 81 72 c9 08 ba 96 c6-16 80 b4 27 de c2 35 c5   ..r........'..5.
    01b0 - 81 e1 58 82 76 21 d9 75-34 0e 70 37 e4 23 aa 01   ..X.v!.u4.p7.#..
    01c0 - f3 5d 66 19 b9 99                                 .]f...

    Start Time: 1579896706
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
closed

for comparison:

output of: openssl s_client -CApath /etc/ssl/certs -connect adult-filter-dns.cleanbrowsing.org:853 -status

CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.cleanbrowsing.org
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.cleanbrowsing.org
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGwzCCBaugAwIBAgIJAKeWQyCeW3i4MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MDgxMDIxMzQwN1oX
DTIwMDgxMDIxMzQwN1owQTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRwwGgYDVQQDDBMqLmNsZWFuYnJvd3Npbmcub3JnMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEApM72exOeLQcq9x5y4HIdRGLnv5ffykkVIrqqGXyv
zLdxY6oSR3EZ8UviWJFx6f7XSbJz8/t0ESVgsIKAqPFUXXlZ9JJRO1AU+TeMbMbv
LEAIzZ3xJ+O4xYPMmENfsYjd9UzQJ0QwwNn4Ae3WPKN1trG6SMsq/muPrpE7YrXy
Kc+b6+YMl4VXIi078CnZ3fUSOqdTUc/qdrMHKjWtrBf62obmQBF/8xpnvdOYeIa+
tC/dhhaYBmEXpg7RbOj4u5if3naKgchXz1PKsm5jCrgElRFAJowlUVdSSmjNnyAI
vhIMFGYOEiVCU6bLO0Mf+90kpPaxh7S9Wa/jYNrftBRoNwIDAQABo4IDSDCCA0Qw
DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
VR0PAQH/BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRk
eS5jb20vZ2RpZzJzMS04NTYuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEw
OTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9y
ZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9j
ZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYD
VR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wMQYDVR0RBCowKIITKi5jbGVh
bmJyb3dzaW5nLm9yZ4IRY2xlYW5icm93c2luZy5vcmcwHQYDVR0OBBYEFBDfeB2j
KdPI8Kaabg7ow84BxvoMMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwCkuQmQ
tBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWUlw3Z+AAAEAwBIMEYCIQCD
eR6AXI1YRvTiwgkEz2BTU5tPNgqmYN93JXhsD1YnnwIhALg0i9ZlBEkDciwDf2lG
cRr1HFSjIiPiIgFWIxgCT+PLAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7
iXqo/csAAAFlJcN7mgAABAMARzBFAiB04b8jtxECVdc7IBlaWDF5AdeOhA56dL9n
vIq77diiNAIhAKFDoPNqhyKCPH0JH0t0xRr+nJICWSC80Nw1B/UQfh9qAHcAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFlJcN8WwAABAMASDBGAiEA
v241P0JJkXB+Re4s9w94Qz6RV10kh0FkSisfHVANGjUCIQCdJonDNlvXHIZ4EqyR
zcMYfSGEI1P8g17NesChd0tF1TANBgkqhkiG9w0BAQsFAAOCAQEAs2AFNDG3I7Rv
p09ELIXL4xC5XeGdkDAQOdLxG9um3z8wmdtU3vrPbs4FugJelQgC6XCFh36ug5cP
BUqtvuKdP+S6Hs5DAqGk0xiscSMbei45cTA+1oWnZarefkxml6B7bBw/KpaBb5s9
RlAcA19SOfhWtcoLi8VY1r8pF0ozCgLTkSr16iFLItcYwPDrtmcMGh2tIyUxwspR
BToVtLJQfBHvaqlwJ5nblQn29+lbfAIzKoyJ+3QrOUoaMKQchSmJ3zBJrr8k6ETO
peW3JlruHPLnpCIRKctzV63GjAkGAxsViiA36Fa4ZVM5mExvyq3bnUdkoVA12v5c
oFxjsQxy8A==
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = *.cleanbrowsing.org

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6135 bytes and written 463 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 266463DD3A15D7F0B523A28DC9A5C7630446DC418A2D1607F7F80198EA18D27E
    Session-ID-ctx:
    Master-Key: 4375A08CA6F08DC5D04181C7AFC1A9231316BABF1F0A804DF1FCA288C8C7D95FDA4AF77B012C075B0338B530C7B602A0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - a9 a2 86 87 6c d9 29 85-95 60 02 cf 8f cf 3a 08   ....l.)..`....:.
    0010 - a0 50 2b 5e 0c 1f 83 10-fa a6 93 1b 89 a4 64 2f   .P+^..........d/
    0020 - 01 90 e0 4a b9 ba db bb-1d 17 52 49 80 97 b1 bd   ...J......RI....
    0030 - 3e 90 70 f8 67 93 f7 b1-c1 40 cc d4 43 be 91 e8   >.p.g....@..C...
    0040 - 88 88 76 e5 b4 be bd 56-a8 88 8e e6 e3 43 c7 31   ..v....V.....C.1
    0050 - 8d c6 e2 1b 95 89 92 63-fd 4b a1 a2 69 d8 c8 fa   .......c.K..i...
    0060 - a1 70 48 b0 e6 b4 49 e0-58 5b e6 c7 98 da 0a 90   .pH...I.X[......
    0070 - 74 2c ac a3 9d 0f e3 ba-1c d8 ef 10 9f 07 95 24   t,.............$
    0080 - 9e 27 2e 7c 7f c5 49 e1-b3 1b f2 e1 8d 1d 45 97   .'.|..I.......E.
    0090 - 80 37 66 e2 9c ab b8 fd-9f 62 31 5d ef 61 f9 f1   .7f......b1].a..
    00a0 - 67 35 eb 2b c0 4e 49 f3-e0 a4 ba f6 c4 57 7f 13   g5.+.NI......W..
    00b0 - a4 b5 1c 1b e2 67 70 42-7c 03 23 e9 6b b2 68 57   .....gpB|.#.k.hW
    00c0 - c8 aa c8 6a 4f 18 da e1-7a 1d c4 9f 50 08 fd ed   ...jO...z...P...
    00d0 - f1 d7 ed 5b 51 47 9f 9e-11 ca 79 5f 94 a5 fb ec   ...[QG....y_....
    00e0 - 45 02 59 7a 07 56 86 16-60 e2 fc 05 36 be b9 72   E.Yz.V..`...6..r
    00f0 - 53 a5 a7 a5 65 91 59 d0-d0 63 6f 19 20 19 39 70   S...e.Y..co. .9p
    0100 - 4e 99 24 c0 bb dc fc 4e-1c c9 d6 46 95 51 a8 7c   N.$....N...F.Q.|
    0110 - 19 76 c6 cd a2 a1 70 db-92 cb 37 1f d8 32 6c 53   .v....p...7..2lS
    0120 - e6 d9 88 1e 63 59 86 2d-bd 29 63 93 2f a3 2e 60   ....cY.-.)c./..`
    0130 - d6 05 87 6a fe 31 37 b4-2a ec 89 bb 45 ef ae 83   ...j.17.*...E...
    0140 - 87 11 eb bf 7b 0f 5f 98-5a ab 55 c2 7c 01 e4 2c   ....{._.Z.U.|..,
    0150 - 9c 1b 5c 65 e4 69 2f 65-89 59 f8 da 76 15 68 09   ..\e.i/e.Y..v.h.
    0160 - 9a f9 0b 4f 13 a1 13 b7-d4 48 25 a1 ec 96 d5 69   ...O.....H%....i
    0170 - 03 f4 39 38 ea de 82 bc-dd 83 e7 14 3d 1e 03 d6   ..98........=...
    0180 - 51 a2 c9 00 1e 3c 3f 56-58 bb a4 03 fc 27 c3 86   Q....<?VX....'..
    0190 - c7 c4 3a e3 3e a0 01 aa-60 12 d7 96 a4 8f f2 4a   ..:.>...`......J
    01a0 - 09 63 13 7d 62 80 a4 a5-ce 0c 8a 4b a0 77 f4 02   .c.}b......K.w..
    01b0 - 38 44 cb 82 e7 b4 39 2e-ad c3 fa 72 b7 f1 20 9e   8D....9....r.. .
    01c0 - 55 90 6e 3f e7 fb                                 U.n?..

    Start Time: 1579896992
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes

and the output of my paid service: openssl s_client -CApath /etc/ssl/certs -connect customXXXXXXXXXXXXXX.dot.cleanbrowsing.org:853 -status

CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.dot.cleanbrowsing.org
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.dot.cleanbrowsing.org
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGyzCCBbOgAwIBAgIIOLa4mD+XluowDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwMTE1MDAwNDE0WhcN
MjIwMTE1MDAwNDE0WjBFMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxIDAeBgNVBAMMFyouZG90LmNsZWFuYnJvd3Npbmcub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSVW1l+dfNPFWeqsB1hPcLCaMMhFEbeo7opX
GcOKWY4tCFGSv4P1or2vRCUn/TsnesVumf/rzZDYjuAaco7EM7qqg6N3jYI93r2j
xnzBgVMZVJshF/fDZtMSPuGqY0E/b9xnoBxqjHTygZ+2+2Qzqtfr3Qt8teuUoZOv
ucrFqKm5Vsl6dB5qsf895ZVTQ0sZQB9SS/ztaZNRC4KBNI28Zxlad+fkqbcMlz0U
oimpNC4E4opRYTCMntNt4mwGsoLytkaPFVkau2Z1/wYpRM58NPRaqna+jTGBLz87
1sM3XmiCapL48TApeUZtk0tFd2ve3gq2enIUz23bXgpYQZ+v7QIDAQABo4IDTTCC
A0kwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29k
YWRkeS5jb20vZ2RpZzJzMS0xNjQ2LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0B
BxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
b20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRw
Oi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0
MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFyou
ZG90LmNsZWFuYnJvd3Npbmcub3JnghVkb3QuY2xlYW5icm93c2luZy5vcmcwHQYD
VR0OBBYEFPZvn/v9UV4RKsbGwWyO5o/FGVuHMIIBfAYKKwYBBAHWeQIEAgSCAWwE
ggFoAWYAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAW+mg9iv
AAAEAwBGMEQCIEVEc6+lx3qgpIAnRb43Wpy7gWKJc/z9Mc1PBUjHzCbGAiB9SmCa
CN5L4UAemaVfUdbuE14eu9g5AsWwwXJJviVd7gB1AO5Lvbd1zmC64UJpH6vhnmaj
D35fsHLYgwDEe4l6qP3LAAABb6aD3U4AAAQDAEYwRAIgDKZnDZgyOh+NZE4t5rV2
yuYRGjYyLFpC7MzYyE7v0qcCIDjlyUPhHmVkGrZWPFf34ivJCtvb5brPRLK1bI+e
6q3cAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFvpoPe9gAA
BAMARzBFAiEAlhpMQs9NbY2rSn7ooE0WDHS/QgjwhiE212cBs5oWtM4CIFgsO+8C
ubr05L0AI4rReHhB067tMunIpKppAcsW3ZF8MA0GCSqGSIb3DQEBCwUAA4IBAQCG
EKXT7bXtSfb8O9OWmaYFm2Lc14wMFGnv4CkrdwcT0een5ZfpY7+WdI7L4OGMVX0E
0j8BtSD8LHEq6dsgQ/zJAQZVdhUa9tEjYDjXy6zTjJKBw+xlnGHzhTQZXgQicM6t
oeWRoZnY49H5tzEEQ1bPG/qMepXkcYTTq7SuyyeHINAgpxRA+vF9XraRDsgcKI9V
fsplI52HI8pzf1FxjS6n4ozqutQXuS4HQKhs5lPIeVzt6GIQO5BerM/uC1fJm30P
wTHKVgZw8lueUKqnec6/NDcBxTRC1mfXcOP1IEl/2jqXOLZbl8S9eAYxDH9esEgo
RlaP5I0svCbqnZ7u32RI
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = *.dot.cleanbrowsing.org

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6143 bytes and written 473 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 4383C2EC0C228EDFECBA19ADAE735EBD12B00446B8E4C38EF92AB32652724039
    Session-ID-ctx:
    Master-Key: C5808EDDF6F960B3CA5EC8B479F69591DF89C55D8E21F0F13912A8D2E7872BD71F606EB3F296031214A9DDB006B33091
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - cd 9b a9 37 3d 52 8d aa-57 35 bd 42 6b 75 08 15   ...7=R..W5.Bku..
    0010 - 2f 51 2b 5e 3f ad 84 07-cf c5 b0 6b 12 5b ad cc   /Q+^?......k.[..
    0020 - 01 90 3a 41 5a cf 30 a6-94 1e 5d 79 8b 52 ef 70   ..:AZ.0...]y.R.p
    0030 - 4b b5 53 db 05 57 72 ae-5e 28 2a 00 e4 5b d6 17   K.S..Wr.^(*..[..
    0040 - 84 c4 15 6c d7 6e e3 c0-8f 3a 4d 74 c7 a4 4e 15   ...l.n...:Mt..N.
    0050 - b0 86 02 a9 a8 e6 b4 b0-e7 89 2d 41 e3 c0 08 9e   ..........-A....
    0060 - 22 32 a0 e6 d5 be 32 62-16 6d 16 50 12 82 2d 89   "2....2b.m.P..-.
    0070 - f9 2b b4 99 fe 0e 93 f9-d8 32 5c 01 26 f2 41 a7   .+.......2\.&.A.
    0080 - c0 1e 93 12 97 97 03 81-a4 fe 05 e2 aa 87 5b bb   ..............[.
    0090 - 7b cb 6b 7a df 8e 0e 3d-c1 c5 e4 5a b0 76 b0 bf   {.kz...=...Z.v..
    00a0 - 6c 0a 3b 0b e6 bc 62 32-7d c0 ec 03 5c 2e 4b a0   l.;...b2}...\.K.
    00b0 - 10 a1 be c4 15 78 8c 2b-b5 b8 01 83 92 ce d6 94   .....x.+........
    00c0 - 9a 81 97 a0 59 d0 27 a7-a5 2a 26 ed 77 61 f6 3d   ....Y.'..*&.wa.=
    00d0 - 0b 98 90 dc 07 07 79 39-15 5b ce 92 02 90 d4 a6   ......y9.[......
    00e0 - 80 7e 51 a6 85 67 b3 4d-47 63 9c a1 80 6b 18 ce   .~Q..g.MGc...k..
    00f0 - dd f9 44 71 c3 a6 07 96-fc 39 8f 3f 4b 0e 60 28   ..Dq.....9.?K.`(
    0100 - ed bd aa 77 bc 88 0c 0d-9e 94 fd d2 0e f2 87 18   ...w............
    0110 - a4 91 f0 62 7d 71 79 32-26 5d 16 f2 96 37 94 54   ...b}qy2&]...7.T
    0120 - cd 83 c0 c6 97 49 d0 97-01 02 d3 9e 00 df b7 3d   .....I.........=
    0130 - b7 95 7b ed af 6a 9d 11-0d d3 c4 d7 1c 50 0c 59   ..{..j.......P.Y
    0140 - 94 7c 4c 02 2b 36 e5 e9-6a 88 52 e4 d7 7b 8c 1c   .|L.+6..j.R..{..
    0150 - a3 61 e4 b4 77 61 59 61-33 43 5f 2e 66 63 f0 8f   .a..waYa3C_.fc..
    0160 - b9 2a 6b 57 ce 54 82 1e-e6 be 06 de 55 07 4b ce   .*kW.T......U.K.
    0170 - 87 b2 91 be e4 df 66 6c-c5 66 ec c3 ae 77 ba 3a   ......fl.f...w.:
    0180 - ed b8 96 8b ad 72 85 eb-ad eb 48 63 a5 c7 d6 3a   .....r....Hc...:
    0190 - 2a d8 d5 c6 cc 97 37 a3-e6 d0 7f 20 23 8d 2b cc   *.....7.... #.+.
    01a0 - 16 f0 bc fa cd d7 86 2f-9b 85 43 e7 94 b9 81 14   ......./..C.....
    01b0 - df ee a4 cc 61 9f 91 49-c8 0e 56 f4 eb ec 60 38   ....a..I..V...`8
    01c0 - 09 50 45 45 ea 3b                                 .PEE.;

    Start Time: 1579897135
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes

Afraid reached the end of the debugging road on my side:

  • all certificate chains seem in order
  • underlying transport cryptography working as well
  • other remote nodes not exhibiting the issue

Bit of an enigma to me and I am hesitant to name unbound as culprit since it does not provide the transport cryptography.

One thing you could try though it is probably all the same:

# tls-cert-bundle: /var/lib/unbound/ca-certificates.crt
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

restart unbound


Since it is a paid service you might want to redact/obfuscate the custom ID in the posts prior someone gets any ideas...

Yeah I did try specifying that tls-cert-bunble in my unbound_srv.conf file. :frowning:

I just can't tell if unbound is actually using it or not.. since when I check FILES TAB in Luci:

Show: Unbound
(This shows '/var/lib/unbound/unbound.conf' generated from UCI configuration.) I still see:
tls-cert-bundle: /var/lib/unbound/ca-certificates.crt

Well thanks anyways for your great help! I truly do appreciate it! :+1:

Hopefully the folks are Cleanbrowsing will pinpoint the root cause.. otherwise I'll have to switch DNS providers!

thanks again!

Share here if you find a solution.

I rather suspect this is somehow being caused by ClearBrowsing authenticating connecting DNS clients for their paid service, but I might be wrong however.

Was thinking the same thing! I've updated all my other posts! :wink:

Will do! I've pointed them to this post.. hopefully it'll add some extra insight!

So after a bit of confusion.. it seems the TLS Name Index I'm supposed to use if the custom URL they provide to paid customers who want to use TLS DNS. The IP Address is the same for all the custom domains. The IP won't work without the correct custom domain which I assume acts like a key. Anyways, thanks so much for the help! It still helped me understand how all of this works more! :wink:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.