[chrony-users] Chronyd does not use non-nts servers

Hi,

Chronyd does not use non-nts servers, when there are big time gap and nts server in chrony.conf

Here my procedure:

1. stop chronyd.service , delete some files, like fresh installed and set time to 1990y.

[root@hostname /tmp]# systemctl stop chronyd
[root@hostname /tmp]# rm -vrf /var/lib/chrony/* /var/run/chrony/*

[root@hostname /tmp]# date +%Y%m%d -s '19900101'

2. edit /etc/chrony.conf, here's result:

[root@hostname /tmp]# cat /etc/chrony.conf
server time.cloudflare.com iburst nts
server nts.ntp.se iburst nts
server nts.sth1.ntp.se iburst nts
server nts.sth2.ntp.se iburst nts
server time.apple.com iburst
server time1.apple.com iburst
server time2.apple.com iburst
server time3.apple.com iburst
server time4.apple.com iburst
server time5.apple.com iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony

3. start chronyd server

[root@hostname /tmp]# systemctl start chronyd
[root@hostname /tmp]# systemctl status -l chronyd
Jan 1 00:00:20 hostname systemd: Starting NTP client/server....
Jan 1 00:00:20 hostname chronyd[44348]: chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
Jan 1 00:00:20 hostname chronyd[44348]: Initial frequency -3.299 ppm
Jan 1 00:00:20 hostname chronyd[44348]: Using right/UTC timezone to obtain leap second data
Jan 1 00:00:20 hostname systemd: Started NTP client/server.
Jan 1 00:00:21 hostname chronyd[44348]: TLS handshake with 194.58.202.201:4460 (nts.ntp.se) failed : Error in the certificate verification. The certificate is NOT trusted. The certificate chain uses not yet valid certificate.
Jan 1 00:00:21 hostname chronyd[44348]: TLS handshake with 194.58.202.218:4460 (nts.sth2.ntp.se) failed : Error in the certificate verification. The certificate is NOT trusted. The certificate chain uses not yet valid certificate.
Jan 1 00:00:21 hostname chronyd[44348]: TLS handshake with 194.58.202.210:4460 (nts.sth1.ntp.se) failed : Error in the certificate verification. The certificate is NOT trusted. The certificate chain uses not yet valid certificate.
Jan 1 00:00:23 hostname chronyd[44348]: TLS handshake with 162.159.200.123:4460 (time.cloudflare.com) failed : Error in the certificate verification. The certificate is NOT trusted. The certificate chain uses not yet valid certificate.
Jan 1 00:00:29 hostname chronyd[44348]: Source 17.253.82.253 replaced with 17.253.84.251 (time.apple.com)

[root@hostname /tmp]# chronyc -N sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? time.cloudflare.com 0 8 0 - +0ns[ +0ns] +/- 0ns
^? nts.ntp.se 0 8 0 - +0ns[ +0ns] +/- 0ns
^? nts.sth1.ntp.se 0 8 0 - +0ns[ +0ns] +/- 0ns
^? nts.sth2.ntp.se 0 8 0 - +0ns[ +0ns] +/- 0ns
^- time.apple.com 1 6 17 20 -11259d[-11259d] +/- 106ms
^- time1.apple.com 1 6 27 17 -11259d[-11259d] +/- 83ms
^- time2.apple.com 1 6 17 20 -11259d[-11259d] +/- 81ms
^- time3.apple.com 1 6 17 20 -11259d[-11259d] +/- 83ms
^- time4.apple.com 1 6 17 19 -11259d[-11259d] +/- 83ms
^- time5.apple.com 1 6 17 20 -11259d[-11259d] +/- 83ms

[root@hostname /tmp]# chronyc -N authdata
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
=========================================================================
time.cloudflare.com NTS 0 0 0 - 1 0 0 0
nts.ntp.se NTS 0 0 0 - 1 0 0 0
nts.sth1.ntp.se NTS 0 0 0 - 1 0 0 0
nts.sth2.ntp.se NTS 0 0 0 - 0 0 0 0
time.apple.com - 0 0 0 - 0 0 0 0
time1.apple.com - 0 0 0 - 0 0 0 0
time2.apple.com - 0 0 0 - 0 0 0 0
time3.apple.com - 0 0 0 - 0 0 0 0
time4.apple..com - 0 0 0 - 0 0 0 0
time5.apple.com - 0 0 0 - 0 0 0 0

#######################################################################

Why does chronyd not time*.apple.com to sync time?

If I comment nts server out, chronyd will sync time quickly.