Re: [chrony-users] NTS with IP addresses

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


On Sun, Feb 13, 2022 at 05:05:19PM +0000, Sad Clouds wrote:
> Hi, I'm using chrony with NTS enabled NTP server. If I try to use IP
> address, instead of DNS name, I get the following errors:
> 
> TLS handshake with 162.159.200.1:4460 (162.159.200.1) failed : Error
> in the certificate verification. The certificate is NOT trusted. The
> name in the certificate does not match the expected.

For an NTS server to be specified by the IP address, the certificate
needs to include it as a Subject Alternative Name. The Cloudflare
certificate doesn't have that.

> Is there a way to tell chrony to use a specific DNS name during
> certificate verification? I can't always use DNS at this stage, since
> the machine has no RTC clock and DNSSEC will not function until NTP
> client sets up correct system time.

A workaround I saw (on OpenWrt?) is to start first with plain DNS,
wait for the clock to synchronize, and then restart the DNS daemon
with DNSSEC enabled. That might be better than hardcoding the
addresses in /etc/hosts or the DNS configuration.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/