Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: Gerd Hoerst <gerd@xxxxxxxxxx>
Subject: Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
From: kross@xxxxxxxxxxxxxxxxxxxx
Date: Fri, 25 Apr 2025 12:34:32 +0200 (GMT+02:00)
Cc: chrony-users@xxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaffeeschluerfer.com; s=s31663417; t=1745577274; x=1746182074; i=kross@xxxxxxxxxxxxxxxxxxxx; bh=ZWfg65CzXIDtPbpUeE4G5jm1jztED4YApMYgRQDPHII=; h=X-UI-Sender-Class:Date:From:To:Cc:Message-ID:In-Reply-To: References:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=bUhR9esRw6yIWoHSysxEK2icTbStCf/CLcRM5CdTdx0sS2hhkL8L5bQd5YiALV7j 0boT9YaaS5oMZHDMixuM8jWA1pAZp+Cl0pAYB2TTO6VlGlR5UqMot+VY7PMAveSnL xhYnNV3g0wuj7QbUQhm6ojWVirR/jCv2h0E7bQ44/MhOLToD5B1QJ1y3oMrywWW5/ k9faEe/6aLlcJganpHQEUTT0RH1fN7OzXOm0qFgsIeCe94lN1TzmcJSqMv5XLwKh9 0QADEOXg67ADMbyAoraraM3clT8cnf7DKpy5LYZGSwB8L7nKXKO4e38OiRWwwedUP xlY8aOzD1mS/dVJZUQ==
Ui-outboundreport: notjunk:1;M01:P0:c/klyTO8xVQ=;njzRCpJwR6LDCuPsQ4+juBPnAEU tivamISDv833ut2ulTUBXmolHevrEeWl6ZgNJAGtZ9QkzEY9jHsxeTcSHArORC6oVCP1aZpY8 5MRC4BAAaeB1EVdBnJJf8psMMzKLreNZu75S8I3L23VpsPy8FgGR4O8/FK6cB1MkALcVsyjIa Y5L/wb00FAbvUplqW3hnJUHrvZ8N3VGMZL2SNJRAb+PFWWV6rpZvSzxxsCxaePhbwAqUZGkax a5JWIv+xsnOYb4ttO0qiSfDNJ6sRgHieco/7NUopO0oF+oFK4HvwBfZ/B6eKezwK0p/XOVPGc KePECT17eTceI02b0INzowmM6+G5r/f6RTuCiImIzDKrTR6W/hSU4zvTfQAsjCP+1mM56PZWv CajmfjcNfADR8olT0D3rJQrZgkCwZbCWeeNbfsZGTAIZEWpBWrPwxi7IBrSeYRr71CAETSdDq npF6semkPceJxS6lJ9y8+OlRblfvhZ2ebUB3PoUFNT+WRy2MmUjCdpvvOH2kzfqMbzOSXwy9i OKxbCYTsY7t1gOxXQaHsPIacGFrsFu1uy31sy1LLg7WDVsr7VH0xLdl/fZAbNGzExGNxuiOq0 +9Hu91CH3iUbyGmavbLS23kO7GjfxNsDjdYvbKLUcIBuGziKsamfNeV13/dF+OZi8s0d4Q0m2 k9ja1t/MzMhN3ywokKtc9oj3yCrfNZagIoURTXDrF4ApTsV7Snf2hY53JCDmTuOtVtgLJZj/Q mqpHEuhlxm+TU5ReqvAWojKSPSeg8dLUzraVd/YUwVYxFDbSQvEEm4AjxtLyQEqUMbKqDVr/b tso8qdWy5KSD5KXBOYgng9mUCNA2nKS1roSPCaGFicD+uZuPYGoaJ7LID4ydSsGkBETdvEB50 Nuyv/UXEYx7eqOq4D3i10X3DnzA5mcNrBvC3M0oM1r+FsF+Ont84+sAmELBcJRC8ppWw3SfjP MaSl2VjjunOpm9BGqWTVk3I4+OgtVEjKVmituXJyy+3a8gjTw4leaa1vs8VwOKGHac4VNnysc i4VS3RZ1/TH0tBMEfE01bsXeBAr+H/JN5MZE5uMMePdrQTF0G0vCOkRNr+vfsRf01BdGcXU+5 Uk3LQ9KaGF2NG0M3OMAi9bf4soriCNm0KbT7p7J3NHaiexA42m9jFqKVpqhMBqvLDMTJXCWUE MEq8S07FHLWTscmMb/crs2I8ZE8O/Kpqqpuyv/dI/fHNlZiQqo+bga7z7DEH6iRSvF6yED0L7 Omdj+ao2auMUucxSnAmwxVK8QIRV6U2+3WMc9dfvWFImMfFqXFgBJYAmyn6Yqp7Q2aYUCHLC2 9ShGLLzZ/IHa59R/1FphU3r/U4t9KyfXB+P7u/QFnVpGNsHeur/67PaE5yZMroaAmMyLJSdhX aEwstWv1jGWOHJue6XYYwB2WRa9I5xKVl48AjnTSZMCZHq5Wpa41kEUGYB2c5Ef9MdmZoi2Cc MB78vpXs6dbPL8GbRojvHheJnmskgWhBOKSdxHMwsUuDNcgA0Eey88f7AJ4qF6oVHcJuXhzc8 wW1+se3LazjNM1E0JXInBfG37MUDsCrP6JEdxTMZlvMD2FkhQD5YukQ2Xm5AZSx/NMiab+qYN +gRSZvF774PJNRGd6UYPBFNmrrzIZG6P0ev1lG9H1a2xioYgiIec19+k/mdCeajpGDaEZPIYE nu82IyIoPzy7Vsoj0oFMG5EboJuRdnfIfpjLa70A+qdxzFJKTOEIplBFHKCMfhlxIIOePlndn dHecsQLUqoix004Zkw06jRp+DmEH6gyGZp9vbbV6qE39TYSBtTSw8GySCWQkAPEv1Fpsmx5oT 4ArtT6rDLr+ldJtMfGeimWmQGby58EnhGH2Lna2IqBwWMbeXlR9A8ra0vgVEIvfR8k1cHCLNW 1vDrLCmWuW+0XDR74iE6qjxmFXWZZwJXA1z6+oFWWY7J+tESPavCUD9MyMLJ3ElPSbZYc4bnX hu/a324N8LwUAwmJ8AXFXgvUk/oqhjFSQIYdlj21HQPR3j19/r5dfLs2Q27XfJvXghoRl/r4v XudjLVk2OCuIHVW0tzAIHpBUZt+Qd7u4QA+A+0MWF3zIXUI8+4krPRrOwlZo1zFIQT2zhksLI ztYI1i/XixZP+jZx7LEdX+vNe5LWoBK34Fe1asktzcbtzEnOSZvZim7vMIUc/09I0xKaPLW++ 0YfsML4nuheq0rzHpbiu0x20mVS6Mpz54XDC1oG+/XcEjbqFkq7uEMd28PCDfQA/eyUrESoa0 Dp7OencQnm1JEPj7nYPGww+RDVgXCzEDuflE18gzpfQDywam6xkomeIhiRj0LXSRUkOXwUL3f u9jU/ZpP0ygPStgBKpLnCZ7L0tPngBLUjwynDlfdH7SFdDr37Ig3/6f9Gnz6sB0kCCaSMJBw8 cGwvWyUHSh0+wQPxOFUFu8d103XgJkvbkQJzcvTZxrx1wB6RQBaN1QdTqSRkjIDHRtlPUYm4q vXsDxPGEbUA9bGr7dn3j3uBNMPw1l8vdaEk8UQTnly3hwG0A2MXqI902A/YCRjsLnx33RedjJ TViuD/aLXJD4L/0KSwrgYvdBvZ6UfBNzDLzhOITFK5aFD30B/ZtQiavM8CGfVU4WIbcYvauGK TaZqu+lhd4CPFxZuedqsFdpIn4Of+CqKyG/YeRppCFPNnG1XtWYp4W4QoeDl2mJEviz61dmWy eUOLn6g1torUb1nW9cFLQrEe+v3ZBBpoLW2I8uVCgDtbOnhLmXAlwY19DYlVNvDSrbkSwpdDA OlFw90AKxulPrI/FS3WVNWxr4P/hx/kemfP4YNlpJjQ8QVS7Xhtz3NP1XuPARrni2mE+skvZF HSKl016yp23GkrlEeAPhXDW6f2R2t9fJlQBDfkh5y3hPa2YUiJhjRLQVZ6/njOYDPZZ3ooz1y N83WxfDqK9F+hKNR1lDauP9KotS6sV2xbweYONm8/yR3IfA+j6LaYWweFLQ+aAN5p7QBxQSiz rav82uAYvg==

Hello Gerd,

Hmm, the first thing I'd look at would probably be to double-check you're seeing the same thing locally than what I see from the outside. I.e., make sure that what I am seeing is not caused by some intermediate entity messing with the communication. E.g., try something like the following, substituting your domain name/port number:

openssl s_client -showcerts -connect ptbtime2.ptb.de:4460

Then, I guess you'd already noticed/looked for error messages in the logs, so I assume you not mentioning anything in that regard likely means there weren't any. If chronyd had issues reading the file, and assuming the log level that seems the default on Debian, it would emit a message like the following:

Apr 24 15:43:06 debian chronyd[18603]: Could not set credentials : Error while reading file.

Depending on the exact issue, there _might_ be other messages with slightly more info, e.g.,

Apr 24 15:43:06 debian chronyd[18602]: Missing read access to /etc/chrony/key.pem : Permission denied

(I found that there is no such additional message when chronyd cannot find the file at all.)

So, just to be sure, double-check there aren't any error messages in the logs, and that the ownership and permissions on the files are indeed correct.

One thing I noted when re-reading previous messages: Your snipped copies "only" the actual server certificate, when it should be the full chain. I.e., including at least the certificates of any intermediate issuing entities (the root certificate typically is assumed to be available on the client already). I haven't tried that yet, but depending on the server TLS library and how it's used, that _might_ cause a failure in setting the needed credentials. So, if the above did not indicate another issue, using the fullchain.pem file instead of the cert.pem one would probably be the next thing to try as far as changing and checking whether that makes a difference goes.

Kind regards,

Joachim

25.04.2025 10:58:50 Gerd Hoerst <gerd@xxxxxxxxxx>:

> Hi !
> 
> Thanks a lot.... but i have actual no idea where to start with bug search....
> the key is a rsa key from letsencrypt
> 
> and the setup un chrony
> 
> ntsserverkey /etc/chrony/cert/privkey.pem
> ntsservercert /etc/chrony/cert/cert.pem
> ntsdumpdir /var/lib/chrony
> 
> the chronyc -N serverstats says:
> 
> NTP packets received       : 35975673
> NTP packets dropped        : 0
> Command packets received   : 81
> Command packets dropped    : 0
> Client log records dropped : 15616714
> NTS-KE connections accepted: 946
> NTS-KE connections dropped : 0
> Authenticated NTP packets  : 0
> Interleaved NTP packets    : 110
> NTP timestamps held        : 2403
> NTP timestamp span         : 766138
> NTP daemon RX timestamps   : 0
> NTP daemon TX timestamps   : 35971583
> NTP kernel RX timestamps   : 35971693
> NTP kernel TX timestamps   : 110
> NTP hardware RX timestamps : 0
> NTP hardware TX timestamps : 0
> 
> Ciao Gerd
> 
> Am 24.04.2025 18:13, schrieb kross@xxxxxxxxxxxxxxxxxxxx:
>> Hello Gerd,
>> Assuming that your intention is to run an NTS server at the domain you
>> shared as part of your example, just fyi that it is accepting TCP
>> connections, but it seems it is not accepting TLS connections on the
>> default NTS-KE port. In case you're running chronyd (strong likelihood
>> given the forum), in my experience,  that can happen when chronyd is
>> not able to read one or more of the credential files, e.g., because
>> chronyd cannot find it/them in the place configured, or chronyd
>> doesn't have read rights for the file(s).
>> Kind regards,
>> Joachim
>> 23.04.2025 11:37:09 kross@xxxxxxxxxxxxxxxxxxxx:
>> so why don't copy them before and give them the correct right ?
>>> Sure, but why not let the deploy hook do that as well for you?
>>> the hook is used to restart services
>>> Yes, if that is all you tell it to do. But it can do more than that.
>>> 
>>> The deploy hook does whatever you tell it to do, as defined by the
>>> script one places in the deploy subfolder.
>>> Kind regards,
>>> Joachim
>>> 23.04.2025 11:31:04 Gerd Hoerst <gerd@xxxxxxxxxx>:
>>> Hi !
>>> the hook is used to restart services (like apache/postfix/dovecot)
>>> after a renewal (if there was no user right issue, you need also to
>>> restart/reload chrony to use the new certs... so why don't copy them
>>> before and give them the correct rights ?
>>> Ciao Gerd
>>> Am 22.04.25 um 23:51 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
>>> Why just do that in the renewal-hook/post script ?
>> Not sure I fully grasp your drift, so apologies if the following is
>> old news.
>> The point of the certbot renewal hook is automation of deployment.
>> Nothing wrong with manually keeping track of the validity of existing
>> certificates, e.g., periodically checking, setting a reminder
>> somewhere, having a tool that checks and alerts, or waiting until
>> someone or something alerts upon finding an expired certificate (as
>> you will have seen, Let's encrypt will cease sending reminders in the
>> near future). And then deploying manually (assuming certbot did an
>> automated renewal, or maybe do that manually as well).
>> But once the number of certificates to keep track of reaches a certain
>> level, or the thrill of learning the ropes, i.e., setting this up in
>> the first place, and going through the motions of deploying manually
>> after (manual or automated) renewal, diminishes after a few
>> iterations, automated deployment (after automated renewal) is your
>> friend.
>> As always, YMMV.
>> Kind regards,
>> Joachim
>> 22.04.2025 22:50:06 Sviatoslav Feshchenko
>> <sviatoslav.feshchenko@xxxxxxxxx>:
>> This seem like a simpler solution! Thank you for sharing!
>>> Sviatoslav
>>> On Tuesday, April 22nd, 2025 at 3:32 AM, Gerd Hoerst
>>> <gerd@xxxxxxxxxx> wrote:
>>> Hi !
>>> Why just do that in the renewal-hook/post script ?
>>> cp -L /etc/letsencrypt/live/time.hoerst.net/cert.pem
>>> /etc/chrony/cert/
>>> cp -L /etc/letsencrypt/live/time.hoerst.net/privkey.pem
>>> /etc/chrony/cert/
>>> chmod g+r /etc/chrony/cert/*
>>> systemctl restart chrony
>>> Ciao Gerd
>>> Am 20.04.25 um 19:40 schrieb kross@xxxxxxxxxxxxxxxxxxxx:
>>> …

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Gerd Hoerst

References:
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Sviatoslav Feshchenko
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Sviatoslav Feshchenko
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Gerd Hoerst
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Sviatoslav Feshchenko
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Gerd Hoerst
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: kross
- Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
  - From: Gerd Hoerst

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
Next by Date: Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
Previous by thread: Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt
Next by thread: Re: [chrony-users] Re: NTS Server Setup with Let's Encrypt

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/