Re: [chrony-users] NTS with IP addresses

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Hello, thank you, this makes sense. I'll try out various things and see
which works best.

On Mon, 14 Feb 2022 09:31:30 +0100
Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

> On Sun, Feb 13, 2022 at 05:05:19PM +0000, Sad Clouds wrote:
> > Hi, I'm using chrony with NTS enabled NTP server. If I try to use IP
> > address, instead of DNS name, I get the following errors:
> > 
> > TLS handshake with 162.159.200.1:4460 (162.159.200.1) failed : Error
> > in the certificate verification. The certificate is NOT trusted. The
> > name in the certificate does not match the expected.
> 
> For an NTS server to be specified by the IP address, the certificate
> needs to include it as a Subject Alternative Name. The Cloudflare
> certificate doesn't have that.
> 
> > Is there a way to tell chrony to use a specific DNS name during
> > certificate verification? I can't always use DNS at this stage, since
> > the machine has no RTC clock and DNSSEC will not function until NTP
> > client sets up correct system time.
> 
> A workaround I saw (on OpenWrt?) is to start first with plain DNS,
> wait for the clock to synchronize, and then restart the DNS daemon
> with DNSSEC enabled. That might be better than hardcoding the
> addresses in /etc/hosts or the DNS configuration.
> 
> -- 
> Miroslav Lichvar
> 
> 
> -- 
> To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
> with "unsubscribe" in the subject.
> For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
> with "help" in the subject.
> Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.
> 

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/