[chrony-users] chrony with NTS: "Error in the pull function."

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-users] chrony with NTS: "Error in the pull function."
From: Adrian Zaugg <chrony.tuxfamily.org@xxxxxxxxxxxxxxx>
Date: Fri, 17 Dec 2021 03:36:21 +0100
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mailgurgler.com; s=main; h=X-MTA-Admin-Wish:Content-Type:MIME-Version: Message-ID:Date:To:From:Cc:User-Agent:Content-Transfer-Encoding:Content-ID: Content-Description:Content-Language:In-Reply-To:References:Autocrypt; bh=j1QPe1MqLJI4QBTLMzxNLSwXwxyC5sVCQp5Chz2to1o=; b=mlsPPwEY5v8xB1VR8oXZvbIa0F iwzgCVW0Z6Zaa03fg8bX2jlkLcv3+wRjupB+QUuiHGrv2NCBC8ppPA2h/hLXWwI5Bed1fv4DvG78B hJOQ/hXfzWnEsSfcy4yyfgIJSfqfGbKvRvglY+lOQyWQOSUiyYEq36cBhP1979tgqVZKP7J8MgbJ5 8T8XrP187VBaAAKJAESwgrzizxZwQOqPoG8u1qkoiwswWAAfKotj5IEld2qDNxNoQIwfJO/vkaM53 E0IEWffsmGYrTbjyMidmr+yDDDxe3yMU2/9NLEszxzKZK898zJa7GfKE1aLs9dRjES/z/gKxtJJqG Vb8+HTkQ==;

Dear List

Trying to set up NTS (RFC 8915) with chrony an authenticated request fails. 
The failing client (another chronyd using: server sirup.3eck.net iburst nts) 
reports:

"chronyd[5269]: TLS handshake with 62.12.167.109:4460 (ntp.3eck.net) failed : 
Error in the pull function."

First I used the certificate without intermediate cert on the server, but that 
failed on the client with:
"Error in the certificate verification. The certificate is NOT trusted. The 
certificate issuer is unknown." 
So I am pretty sure to use the right files now, using the "fullchain.pem" and 
"privkey.pem" (copied to /etc/chrony ; permissions set).

The certificate from Let's encrypt looks like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:a2:45:4d:da:a1:ae:2f:c9:f6:d4:02:92:1b:d6:39:05:a8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec 17 00:41:36 2021 GMT
            Not After : Mar 17 00:41:35 2022 GMT
        Subject: CN = sirup.3eck.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:bc:81:ae:b4:5a:c8:48:6f:cd:92:29:26:3c:71:
		[...]
                    3f:df:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                3C:BE:EA:AD:42:7E:CF:76:AC:F1:E4:9C:E9:48:D2:8F:04:59:3A:2A
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:dns.3eck.net, DNS:ntp.3eck.net, DNS:sirup.3eck.net
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A: [...]
                Timestamp : Dec 17 01:41:37.031 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:91:AA:B7:C6:AF: [...]
			
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 46:A5:55:EB:75:FA  [...]47
                    Timestamp : Dec 17 01:41:37.053 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:9E:1E:B2:1F:7F:4F:43:4A: [...]
    Signature Algorithm: sha256WithRSAEncryption
         04:57:75:36:d1:16:ae:8b:e2:cb:f5:ac:4e:df:a9:f9:e9:7b: [...]



The relevant configuration of chrony on the server is:

# NTS - network time security
ntsservercert /etc/chrony/le_sirup_cert.pem
ntsserverkey /etc/chrony/le_sirup_privkey.pem
ntsprocesses 3
maxntsconnections 512
ntsdumpdir /var/lib/chrony


The Server starts happily with:
Dec 17 02:43:35 sirup chronyd[16831]: chronyd version 4.0 starting (+CMDMON 
+NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -
DEBUG
)
Dec 17 02:43:35 sirup chronyd[16831]: Frequency -78.873 +/- 0.021 ppm read 
from /var/lib/chrony/chrony.drift
Dec 17 02:43:35 sirup chronyd[16831]: Loaded seccomp filter
Dec 17 02:43:40 sirup chronyd[16831]: System's initial offset : 0.000069 
seconds fast of true (slew)
Dec 17 02:43:47 sirup chronyd[16831]: Selected source 192.33.96.102 
(time2.ethz.ch)
Dec 17 02:43:49 sirup chronyd[16831]: Selected source 195.176.26.206 
(ntp13.metas.ch)
Dec 17 02:44:29 sirup chronyd[16831]: Selected source PPS
[...]


What am I doing wrong?

Thank you for any hint!


Best regards, Adrian.

Attachment: signature.asc
Description: This is a digitally signed message part.

Follow-Ups:
- Re: [chrony-users] chrony with NTS: "Error in the pull function."
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Get time and pps status from Java
Next by Date: Re: [chrony-users] chrony with NTS: "Error in the pull function."
Previous by thread: Re: [chrony-users] drift file issue, possible chronyd bug?
Next by thread: Re: [chrony-users] chrony with NTS: "Error in the pull function."

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/