You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since the update to 21.7.6 and a renewal of my wildcard LetsEncrypt certificate by the ACME plugin and [...?], chrony could not connect to most NTS servers.
The syslog spams error message as follows (presumably one per server):
2021-12-02T14:15:36 chronyd[5971] Could not set credentials : Error while reading file.
For some reasons, most NTS servers failed but two NTS servers worked: time.cloudflare.com and nts1.time.nl.
It seems to be some form of permission error on the SSL cert file. The following was set:
root@OPNsense:/usr/local/etc # ls -la /etc/ssl/
total 454
drwxr-xr-x 2 root wheel 4 Nov 29 11:30 .
drwxr-xr-x 25 root wheel 99 Nov 25 21:09 ..
-rw-r----- 1 root wheel 698890 Nov 29 11:30 cert.pem
-rw-r--r-- 1 root wheel 10921 Nov 10 11:08 openssl.cnf
with cert.pem set to "rw-r-----", I had the described issues.
If the cert.pem is set to "rw-r--r--" (chmod 644 cert.pem), chrony can connect to all NTS servers just fine (like before):
asche77
changed the title
Chrony NTS - 21.7.6 ACME client breaks NTS / SSL certificate permission
Chrony NTS - in 21.7.6, something breaks SSL certificate permission, causing Chrony not being able to access NTS servers
Dec 2, 2021
Comment: Not sure anymore it is really an ACME issue:
ACME renewed my certificate on Nov 30, 03.00 CET
cert.pem carries datestamp Nov 29, 11.30
Could it also be that chrony was removed from user group "wheel"? Or another action causing a renewal / rights reset of cert.pem?
asche77
changed the title
Chrony NTS - in 21.7.6, something breaks SSL certificate permission, causing Chrony not being able to access NTS servers
Chrony - in 21.7.6, NTS fails if chrony cannot read /etc/ssl/cert.pem, and something did remove the read rights for Chrony
Dec 2, 2021
fichtner
changed the title
Chrony - in 21.7.6, NTS fails if chrony cannot read /etc/ssl/cert.pem, and something did remove the read rights for Chrony
firmware: wrong permission on /etc/ssl/cert.pem after 'configctl firmware configure'
Dec 8, 2021
#5396
... leaves us with permission 640 even though we have copied a
644 file. Removing the unlink() makes this work without a
chmod but the unlink is there for the fact that /etc/ssl/cert.pem
used to be a symlink and could clobber the actual file linked
which was the original package provided.
Might be an umask issue, but better leave it where it is.
(cherry picked from commit 7a68bab)
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Since the update to 21.7.6 and a renewal of my wildcard LetsEncrypt certificate by the ACME plugin and [...?], chrony could not connect to most NTS servers.
chronyc sources shows
The syslog spams error message as follows (presumably one per server):
2021-12-02T14:15:36 chronyd[5971] Could not set credentials : Error while reading file.
For some reasons, most NTS servers failed but two NTS servers worked: time.cloudflare.com and nts1.time.nl.
It seems to be some form of permission error on the SSL cert file. The following was set:
with cert.pem set to "rw-r-----", I had the described issues.
If the cert.pem is set to "rw-r--r--" (chmod 644 cert.pem), chrony can connect to all NTS servers just fine (like before):
cert.pem is used by chrony as per its config file:
EDIT: No longer sure it is actually ACME causing this.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Chrony to continue being able to access the NTS servers following a certificate update.
Software version used and hardware type if relevant, e.g.:
OPNsense 21.7.6-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
The text was updated successfully, but these errors were encountered: