Re: [chrony-users] NTS with IP addresses |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] NTS with IP addresses
- From: Sad Clouds <cryintothebluesky@xxxxxxxxx>
- Date: Mon, 14 Feb 2022 11:13:29 +0000
- Cc: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mKKvH7yZ2p/GtON1sOPB161krlFcieEKZv+EHTDo5ps=; b=GN3CvGDels6lHzw5G+Xf4BOXfdpk3ouqvXnYrzeAbLPFHSxuTsIkl6dvbDOgf2bGt3 F5SMa4tkw8qNoS0ObBndCMofYnoGEBYwLGNkUwNh3dNJ716Ywae99UDXo6nnRFKZUBBX DZjOAqy3Va0P1HdOgxkdtBrLRCxR20HNvzj+2+Pld9JkDVA+3C1ZKhQAnS/1qypPU/Aj JOolzRFX7yRww4zxir3cHAZ6XBlv2JzfuXGmAozx43n5y1I12Niw97F+lT1ujVkdbG2H XnqXTNI2DBRLn5T27P95xSqC+IoBaLnGKym3X9PZY/JPP4mqV4nVvR3pxNintcSYQMn0 JeqA==
Hello, thank you, this makes sense. I'll try out various things and see
which works best.
On Mon, 14 Feb 2022 09:31:30 +0100
Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
> On Sun, Feb 13, 2022 at 05:05:19PM +0000, Sad Clouds wrote:
> > Hi, I'm using chrony with NTS enabled NTP server. If I try to use IP
> > address, instead of DNS name, I get the following errors:
> >
> > TLS handshake with 162.159.200.1:4460 (162.159.200.1) failed : Error
> > in the certificate verification. The certificate is NOT trusted. The
> > name in the certificate does not match the expected.
>
> For an NTS server to be specified by the IP address, the certificate
> needs to include it as a Subject Alternative Name. The Cloudflare
> certificate doesn't have that.
>
> > Is there a way to tell chrony to use a specific DNS name during
> > certificate verification? I can't always use DNS at this stage, since
> > the machine has no RTC clock and DNSSEC will not function until NTP
> > client sets up correct system time.
>
> A workaround I saw (on OpenWrt?) is to start first with plain DNS,
> wait for the clock to synchronize, and then restart the DNS daemon
> with DNSSEC enabled. That might be better than hardcoding the
> addresses in /etc/hosts or the DNS configuration.
>
> --
> Miroslav Lichvar
>
>
> --
> To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
> with "unsubscribe" in the subject.
> For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
> with "help" in the subject.
> Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.
>
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.