| Re: [chrony-users] NTS with IP addresses |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] NTS with IP addresses
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 14 Feb 2022 09:31:30 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1644827495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lI+EEvZ8/LyKoDbS6NsQ6YvlCEgg8Vm5+90GZc1tP6w=; b=QNm7ceHDWKgYQu1AD/lCGG17kswghgEmPL19/IlyBR5SszOTAHE+N3iIA56WoiEaJY7DI7 5OJWzi0ETU9CRTaB6F1hSRr/A8PRvkeoA8ImsCbBtz597DUL9YP7SzMQm1cppYazUgbKs9 XOjHVcO2aPAReYUdZFNv8SvsOivIw7s=
On Sun, Feb 13, 2022 at 05:05:19PM +0000, Sad Clouds wrote:
> Hi, I'm using chrony with NTS enabled NTP server. If I try to use IP
> address, instead of DNS name, I get the following errors:
>
> TLS handshake with 162.159.200.1:4460 (162.159.200.1) failed : Error
> in the certificate verification. The certificate is NOT trusted. The
> name in the certificate does not match the expected.
For an NTS server to be specified by the IP address, the certificate
needs to include it as a Subject Alternative Name. The Cloudflare
certificate doesn't have that.
> Is there a way to tell chrony to use a specific DNS name during
> certificate verification? I can't always use DNS at this stage, since
> the machine has no RTC clock and DNSSEC will not function until NTP
> client sets up correct system time.
A workaround I saw (on OpenWrt?) is to start first with plain DNS,
wait for the clock to synchronize, and then restart the DNS daemon
with DNSSEC enabled. That might be better than hardcoding the
addresses in /etc/hosts or the DNS configuration.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.