| [chrony-users] NTS with IP addresses |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-users] NTS with IP addresses
- From: Sad Clouds <cryintothebluesky@xxxxxxxxx>
- Date: Sun, 13 Feb 2022 17:05:19 +0000
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=kB+k3FyrAaIkcG3FAoAjjjkUafrcVC1N86FJIupRo5M=; b=cCfqWRjZNv4/6T+3RIJgFjfCpYhOy17vpVV9hdwAd20buKhCgxG5+48JHRD4CTP4bR 0ZqgraSEBgM6A6WQDAn/XKpJry+4qz/bPC5f3k9aVtAH0uI9VW1JHfyDKzS9WsQzkdzw 8CU06vNP5KxYjN/QxdQW3q0eGASkRxPTXOfCuFhfDBSIF/z3Luu3qo8NkxnieVHXSxfu fsYProVIslM2Dph0s9vVyjlm0RKVK6GQy41ZlP7d8WMSzeO46QvXDf3A2dKlN16mKJCN GtsSOji9X/+0109lrphX2qqQa+/cUt+269FlT6vweq56d4GCY7znT9jkBPWGQGjy+jO9 x3pg==
Hi, I'm using chrony with NTS enabled NTP server. If I try to use IP
address, instead of DNS name, I get the following errors:
TLS handshake with 162.159.200.1:4460 (162.159.200.1) failed : Error
in the certificate verification. The certificate is NOT trusted. The
name in the certificate does not match the expected.
Is there a way to tell chrony to use a specific DNS name during
certificate verification? I can't always use DNS at this stage, since
the machine has no RTC clock and DNSSEC will not function until NTP
client sets up correct system time.
One workaround would be to add a line to /etc/hosts, but this is not
ideal, since something like time.cloudflare.com resolves to multiple
IP addresses and I would like chrony to use multiple clock sources. So
I added static entries to local-data in unbound.conf, but this is a
bit overkill and I would rather chrony handle SSL verification on its
own.
Thanks.
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.