On 4/2/19 8:42 PM, Gary E. Miller via devel wrote: >> B) You can specify a directory, in which case the certificates must be >> named (or more typically, symlinked) with their hash; see `openssl >> rehash`. Note that the files processed by `openssl rehash` must have >> one certificate per file. > > I'm just going by the ntp.conf doc. Which does not mention that.
Good point. I created this MR to document it: https://gitlab.com/NTPsec/ntpsec/merge_requests/993 > I'm not gonna edit .pem files, real users can't figure out how to do > that. Right, that suggestion was just for testing. > So I put the LE chain.pem and cert.pem in /tmp. Then did the rehash. > That yielded the hash links. Excellent. > If I delete the hash to chain.pem then it fails again. So the hash to > cert.pem does not help. Perfect. That's exactly how it should work. The "ca" option specifies CAs, not end certificates. Does it work with "ca chain.pem" (specifying a file, as opposed to a directory)? If you already tested this earlier in the thread and I missed it, ignore me. > Of the things I'd like to force, cert.pem is > the top of my list. Pinning the end cert is a separate issue. >> See if that works with "ca=/tmp/certs" in ntp.conf. > > Are you sure about the equal sign? Not what "man ntp.conf" says: You're right. No equals. I typed that too fast. -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
