Re: [chrony-users] NTS with IP addresses

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] NTS with IP addresses
From: Sad Clouds <cryintothebluesky@xxxxxxxxx>
Date: Mon, 14 Feb 2022 11:13:29 +0000
Cc: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mKKvH7yZ2p/GtON1sOPB161krlFcieEKZv+EHTDo5ps=; b=GN3CvGDels6lHzw5G+Xf4BOXfdpk3ouqvXnYrzeAbLPFHSxuTsIkl6dvbDOgf2bGt3 F5SMa4tkw8qNoS0ObBndCMofYnoGEBYwLGNkUwNh3dNJ716Ywae99UDXo6nnRFKZUBBX DZjOAqy3Va0P1HdOgxkdtBrLRCxR20HNvzj+2+Pld9JkDVA+3C1ZKhQAnS/1qypPU/Aj JOolzRFX7yRww4zxir3cHAZ6XBlv2JzfuXGmAozx43n5y1I12Niw97F+lT1ujVkdbG2H XnqXTNI2DBRLn5T27P95xSqC+IoBaLnGKym3X9PZY/JPP4mqV4nVvR3pxNintcSYQMn0 JeqA==

Hello, thank you, this makes sense. I'll try out various things and see
which works best.

On Mon, 14 Feb 2022 09:31:30 +0100
Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

> On Sun, Feb 13, 2022 at 05:05:19PM +0000, Sad Clouds wrote:
> > Hi, I'm using chrony with NTS enabled NTP server. If I try to use IP
> > address, instead of DNS name, I get the following errors:
> > 
> > TLS handshake with 162.159.200.1:4460 (162.159.200.1) failed : Error
> > in the certificate verification. The certificate is NOT trusted. The
> > name in the certificate does not match the expected.
> 
> For an NTS server to be specified by the IP address, the certificate
> needs to include it as a Subject Alternative Name. The Cloudflare
> certificate doesn't have that.
> 
> > Is there a way to tell chrony to use a specific DNS name during
> > certificate verification? I can't always use DNS at this stage, since
> > the machine has no RTC clock and DNSSEC will not function until NTP
> > client sets up correct system time.
> 
> A workaround I saw (on OpenWrt?) is to start first with plain DNS,
> wait for the clock to synchronize, and then restart the DNS daemon
> with DNSSEC enabled. That might be better than hardcoding the
> addresses in /etc/hosts or the DNS configuration.
> 
> -- 
> Miroslav Lichvar
> 
> 
> -- 
> To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
> with "unsubscribe" in the subject.
> For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
> with "help" in the subject.
> Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.
> 

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- [chrony-users] NTS with IP addresses
  - From: Sad Clouds
- Re: [chrony-users] NTS with IP addresses
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] NTS with IP addresses
Next by Date: Re: [chrony-users] rejecting one of two trusted hosts
Previous by thread: Re: [chrony-users] NTS with IP addresses
Next by thread: [chrony-users] Chrony gets out of sync regularly

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/