[chrony-users] chrony with NTS: "Error in the pull function."

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

Dear List

Trying to set up NTS (RFC 8915) with chrony an authenticated request fails. 
The failing client (another chronyd using: server sirup.3eck.net iburst nts) 

"chronyd[5269]: TLS handshake with (ntp.3eck.net) failed : 
Error in the pull function."

First I used the certificate without intermediate cert on the server, but that 
failed on the client with:
"Error in the certificate verification. The certificate is NOT trusted. The 
certificate issuer is unknown." 
So I am pretty sure to use the right files now, using the "fullchain.pem" and 
"privkey.pem" (copied to /etc/chrony ; permissions set).

The certificate from Let's encrypt looks like this:

        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
            Not Before: Dec 17 00:41:36 2021 GMT
            Not After : Mar 17 00:41:35 2022 GMT
        Subject: CN = sirup.3eck.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:dns.3eck.net, DNS:ntp.3eck.net, DNS:sirup.3eck.net
            X509v3 Certificate Policies: 
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A: [...]
                Timestamp : Dec 17 01:41:37.031 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:91:AA:B7:C6:AF: [...]
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 46:A5:55:EB:75:FA  [...]47
                    Timestamp : Dec 17 01:41:37.053 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:9E:1E:B2:1F:7F:4F:43:4A: [...]
    Signature Algorithm: sha256WithRSAEncryption
         04:57:75:36:d1:16:ae:8b:e2:cb:f5:ac:4e:df:a9:f9:e9:7b: [...]

The relevant configuration of chrony on the server is:

# NTS - network time security
ntsservercert /etc/chrony/le_sirup_cert.pem
ntsserverkey /etc/chrony/le_sirup_privkey.pem
ntsprocesses 3
maxntsconnections 512
ntsdumpdir /var/lib/chrony

The Server starts happily with:
Dec 17 02:43:35 sirup chronyd[16831]: chronyd version 4.0 starting (+CMDMON 
Dec 17 02:43:35 sirup chronyd[16831]: Frequency -78.873 +/- 0.021 ppm read 
from /var/lib/chrony/chrony.drift
Dec 17 02:43:35 sirup chronyd[16831]: Loaded seccomp filter
Dec 17 02:43:40 sirup chronyd[16831]: System's initial offset : 0.000069 
seconds fast of true (slew)
Dec 17 02:43:47 sirup chronyd[16831]: Selected source 
Dec 17 02:43:49 sirup chronyd[16831]: Selected source 
Dec 17 02:44:29 sirup chronyd[16831]: Selected source PPS

What am I doing wrong?

Thank you for any hint!

Best regards, Adrian.

Attachment: signature.asc
Description: This is a digitally signed message part.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/