[chrony-users] chrony with NTS: "Error in the pull function."

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Dear List

Trying to set up NTS (RFC 8915) with chrony an authenticated request fails. 
The failing client (another chronyd using: server sirup.3eck.net iburst nts) 
reports:

"chronyd[5269]: TLS handshake with 62.12.167.109:4460 (ntp.3eck.net) failed : 
Error in the pull function."

First I used the certificate without intermediate cert on the server, but that 
failed on the client with:
"Error in the certificate verification. The certificate is NOT trusted. The 
certificate issuer is unknown." 
So I am pretty sure to use the right files now, using the "fullchain.pem" and 
"privkey.pem" (copied to /etc/chrony ; permissions set).

The certificate from Let's encrypt looks like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:a2:45:4d:da:a1:ae:2f:c9:f6:d4:02:92:1b:d6:39:05:a8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec 17 00:41:36 2021 GMT
            Not After : Mar 17 00:41:35 2022 GMT
        Subject: CN = sirup.3eck.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:bc:81:ae:b4:5a:c8:48:6f:cd:92:29:26:3c:71:
		[...]
                    3f:df:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                3C:BE:EA:AD:42:7E:CF:76:AC:F1:E4:9C:E9:48:D2:8F:04:59:3A:2A
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:dns.3eck.net, DNS:ntp.3eck.net, DNS:sirup.3eck.net
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A: [...]
                Timestamp : Dec 17 01:41:37.031 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:91:AA:B7:C6:AF: [...]
			
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 46:A5:55:EB:75:FA  [...]47
                    Timestamp : Dec 17 01:41:37.053 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:9E:1E:B2:1F:7F:4F:43:4A: [...]
    Signature Algorithm: sha256WithRSAEncryption
         04:57:75:36:d1:16:ae:8b:e2:cb:f5:ac:4e:df:a9:f9:e9:7b: [...]



The relevant configuration of chrony on the server is:

# NTS - network time security
ntsservercert /etc/chrony/le_sirup_cert.pem
ntsserverkey /etc/chrony/le_sirup_privkey.pem
ntsprocesses 3
maxntsconnections 512
ntsdumpdir /var/lib/chrony


The Server starts happily with:
Dec 17 02:43:35 sirup chronyd[16831]: chronyd version 4.0 starting (+CMDMON 
+NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -
DEBUG
)
Dec 17 02:43:35 sirup chronyd[16831]: Frequency -78.873 +/- 0.021 ppm read 
from /var/lib/chrony/chrony.drift
Dec 17 02:43:35 sirup chronyd[16831]: Loaded seccomp filter
Dec 17 02:43:40 sirup chronyd[16831]: System's initial offset : 0.000069 
seconds fast of true (slew)
Dec 17 02:43:47 sirup chronyd[16831]: Selected source 192.33.96.102 
(time2.ethz.ch)
Dec 17 02:43:49 sirup chronyd[16831]: Selected source 195.176.26.206 
(ntp13.metas.ch)
Dec 17 02:44:29 sirup chronyd[16831]: Selected source PPS
[...]


What am I doing wrong?

Thank you for any hint!


Best regards, Adrian.

Attachment: signature.asc
Description: This is a digitally signed message part.



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/