Udo van den Heuvel via devel writes:
> On 13-12-2019 11:31, Udo van den Heuvel via devel wrote:
>> No change in ntpd behaviour...
>
> Certificates ended up in /etc/pki/tls/certs/ca-bundle.trust.crt and
> /etc/pki/tls/certs/ca-bundle.crt
>
> But after an ntpd restart no change...
You didn't forget
udo...@xs4all.nl said:
> The chroot is the root cause I guess. Thanks for tipping me abotu taht one.
> I copied over /etc/pki to /chroot/ntpd/etc and stuff starts to see certs and
> such:
Thanks for bringing this to our attention and helping to track it down.
--
These are my opinions. I ha
On 13-12-2019 12:37, Hal Murray wrote:
> Are you using a chroot jail? If so, does it let ntpd see the root certs?
The chroot is the root cause I guess.
Thanks for tipping me abotu taht one.
I copied over /etc/pki to /chroot/ntpd/etc and stuff starts to see certs
and such:
Dec 13 12:42:57 sp2 nt
> Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate issuer name:
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate invalid: 20=>unable to
> get local issuer certificate
> Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: NTS-KE req to ntp2.glypn
On 13-12-2019 11:31, Udo van den Heuvel via devel wrote:
> No change in ntpd behaviour...
Certificates ended up in /etc/pki/tls/certs/ca-bundle.trust.crt and
/etc/pki/tls/certs/ca-bundle.crt
But after an ntpd restart no change...
Udo
___
devel mailin
On 13-12-2019 11:21, Udo van den Heuvel via devel wrote:
> On 13-12-2019 11:09, Udo van den Heuvel via devel wrote:
>> So is this an isseu in the ca-certificates rpm?
>
> https://letsencrypt.org/certificates/ shows the relationships between
> certificates.
> Could it be that the Fedora rpm has no
On 13-12-2019 11:09, Udo van den Heuvel via devel wrote:
> So is this an isseu in the ca-certificates rpm?
https://letsencrypt.org/certificates/ shows the relationships between
certificates.
Could it be that the Fedora rpm has no info on the X3 cert?
Udo
__
Hal,
On 13-12-2019 10:56, Hal Murray wrote:
> On Fedora, it's ca-certificates.noarch
Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: DNS lookup of ntp2.glypnod.com
took 0.031 sec
Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: nts_probe connecting to
ntp2.glypnod.com:123 => [2a03:b0c0:1:d0::1f9:f001]:123
Dec 1
> Can anybody confirm that installing the certificates for ntpd as a server can
> fix the client-side certificate issues as well?
No.
For a client, you need a root certificate for each server's certificate. Most
distros have a package with many root certificates and their libssl is
On 10-12-2019 06:47, Hal Murray wrote:
> Do you have the normal collection of root certificates installed? Are they
> up
> to date?
Can anybody confirm that installing the certificates for ntpd as a
server can fix the client-side certificate issues as well?
Kind regards,
Udo
__
Hal,
On 10-12-2019 06:47, Hal Murray wrote:
>> I also might have a local issue as I get:
>> NTSc: certificate invalid: 20=>unable to get local issuer certificate
>> (for the other servers mentioned at the howto page)
>
> What OS/distro/version are you using?
Fedora 31 Linux with kernel.org, git
devel@ntpsec.org said:
> Web browsers often don't use the certificate chain of the system they're
> running on. I generally use either use the gnutls tools or curl when trying
> to debug cert problems.
Could you provide an example? How do I get curl to tell me the certificate on
a NTS-KE ser
Hal Murray via devel writes:
> I was trying to suggest using web browser to contact a few non NTS sites as
> a
> way to check the local collection of root certificates.
Web browsers often don't use the certificate chain of the system they're
running on. I generally use either use the gnutls to
watsonbl...@gmail.com said:
> The web server uses a different certificate from the time service, so
> connecting to 443 is no guarantee 1234 will work.
Good point. Thanks.
I was trying to suggest using web browser to contact a few non NTS sites as a
way to check the local collection of root
Merge Request submitted.
--
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane
On Tue, Dec 10, 2019 at 10:13 AM Sanjeev Gupta wrote:
> I will do that, and re-read Quick-NTS (which was written early on).
>
> --
> Sanjeev Gupta
> +65 98551208 http://www.linkedin.com/in/ghane
>
On Mon, Dec 9, 2019, 9:47 PM Hal Murray via devel wrote:
>
> > I also might have a local issue as I get:
> > NTSc: certificate invalid: 20=>unable to get local issuer certificate
> > (for the other servers mentioned at the howto page)
>
> What OS/distro/version are you using?
>
> Do you have the
> I also might have a local issue as I get:
> NTSc: certificate invalid: 20=>unable to get local issuer certificate
> (for the other servers mentioned at the howto page)
What OS/distro/version are you using?
Do you have the normal collection of root certificates installed? Are they up
to dat
On 10-12-2019 06:18, Udo van den Heuvel via devel wrote:
> Dec 10 05:52:57 s2 ntpd[984825]: NTSc: NTS-KE req to
> time.cloudflare.com:1234 took 0.070 sec, fail
I also might have a local issue as I get:
NTSc: certificate invalid: 20=>unable to get local issuer certificate
(for the other servers
On 10-12-2019 05:58, Hal Murray wrote:
> openssl s_client -showcerts -quiet time.cloudflare.com:1234
# openssl s_client -showcerts -quiet time.cloudflare.com:1234
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc,
>> Also: NTSc: certificate invalid: 19=>self signed certificate in certificate
>> chain
> server time.cloudflare.com:1234 nts # TLS1.3 only
Weird. It works from here.
Is there anything interesting in?
openssl s_client -showcerts -quiet time.cloudflare.com:1234
I get:
depth=2 C = US, O = Di
On 10-12-2019 05:03, Hal Murray wrote:
>
>> Also: NTSc: certificate invalid: 19=>self signed certificate in certificate
>> chain
>
>> When I try nts as a client...
>
> Which host?
>
The first one in the howto:
Public NTP servers supporting NTS:
server time.cloudflare.com:1234 nts # TLS1.3
> Also: NTSc: certificate invalid: 19=>self signed certificate in certificate
> chain
> When I try nts as a client...
Which host?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/lis
On 09-12-2019 23:38, Paul Theodoropoulos via devel wrote:
> https://docs.ntpsec.org/latest/NTS-QuickStart.html
>
> If anyone has a contact over at cloudflare, you might ask them to
> correct this...
Also: NTSc: certificate invalid: 19=>self signed certificate in
certificate chain
When I try nts
I will do that, and re-read Quick-NTS (which was written early on).
--
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane
On Tue, Dec 10, 2019 at 7:22 AM Hal Murray via devel
wrote:
>
> > links to the NTPsec quickstart page -
> > https://docs.ntpsec.org/latest/quick.html
> > whic
> links to the NTPsec quickstart page -
> https://docs.ntpsec.org/latest/quick.html
> which only discusses NTP, rather than NTS.
> The correct destination would be
> https://docs.ntpsec.org/latest/NTS-QuickStart.html
We should have links from each page to the other.
The NTS page should probabl
I've forwarded your message to Watson Ladd.
On Mon, Dec 9, 2019, 17:38 Paul Theodoropoulos via devel
wrote:
> I just noticed that Cloudflare's documentation for NTS -
>
> https://developers.cloudflare.com/time-services/nts/usage/
>
> links to the NTPsec quickstart page -
>
> https://docs.ntpsec.
I just noticed that Cloudflare's documentation for NTS -
https://developers.cloudflare.com/time-services/nts/usage/
links to the NTPsec quickstart page -
https://docs.ntpsec.org/latest/quick.html
which only discusses NTP, rather than NTS.
The correct destination would be
https://docs.ntpsec.
27 matches
Mail list logo
