Re: [chrony-users] Chronyd does not use non-nts servers

[William Holmes <xylene2016@xxxxxxxxx>]

Is it possible to use any unauthenticated NTP sources just as bootstrap NTP sources, when the clock is reasonably close to the true time, unauthenticated NTP sources will automatically get the noselect option to prevent them from being selected for synchronisation?

It is not just simply falling back to unauthenticated NTP.

On Thu, Oct 29, 2020 at 6:43 AM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

On Thu, Oct 29, 2020 at 04:09:32AM -0400, William Holmes wrote:
> [root@hostname /tmp]# date +%Y%m%d -s '19900101'

> Jan  1 00:00:21 hostname chronyd[44348]: TLS handshake with
> 194.58.202.218:4460 (nts.sth2.ntp.se) failed : Error in the certificate
> verification. The certificate is NOT trusted. The certificate chain uses
> not yet valid certificate.

Unfortunately, this is a chicken-and-egg problem with NTS. It needs
the clock to be reasonably close to the true time (say within days or
weeks) to be able to verify the certificates. The whole point of NTS
is to synchronize the clock securely, so it cannot just fall back to
unauthenticated NTP.

Most computers have an RTC backed up by a battery. Once corrected
manually, it should be good enough to keep NTS working even if the
machine is turned off for years at a time.

With no RTC or battery, you can use the -s option to restore the time
from the previous shutdown/reboot. That should work well for machines
that are not turned off for too long.

As a last resort, you can disable the certificate time checks with the
nocerttimecheck directive in chrony.conf, but it has an impact on
security.

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.