NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Wed Apr 3 01:42:04 UTC 2019

Yo Richard!

On Tue, 2 Apr 2019 20:00:27 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 4/2/19 5:35 PM, Gary E. Miller via devel wrote:
> > Also, still broken for me when the fullchain.pem is in /tmp:  
> OpenSSL takes root certificates in two ways.

Well, somehow sopme people manage to get more.

> B) You can specify a directory, in which case the certificates must be
> named (or more typically, symlinked) with their hash; see `openssl
> rehash`. Note that the files processed by `openssl rehash` must have
> one certificate per file.

I'm just going by the ntp.conf doc.  Which does not mention that.

> Technically speaking, fullchain.pem from certbot does not contain a
> root certificate. It contains the end certificate and an intermediate
> CA certificate. That said, adding the intermediate as a trusted root
> should still cause validation to pass.

Yup.  For example, technically, there is NO Let's Encrypt Root cert.
They had to piggy back on other CA's:


> Try something like this:
> mkdir /tmp/certs
> cp /tmp/fullchain.pem /tmp/certs/
> cd /tmp/certs
> vi fullchain.pem
> # Delete the first cert, (the end certificate) from the
> # -----BEGIN CERTIFICATE----- line through the
> # ------ END CERTIFICATE----- line, inclusive. This will leave only
> the # intermediate certificate.
> openssl rehash .

No joy:

kong /tmp # openssl rehash .
rehash: warning: skipping fullchain.pem,it does not contain exactly one
certificate or CRL

I'm not gonna edit .pem files, real users can't figure out how to do

So I put the LE chain.pem and cert.pem in /tmp.  Then did the rehash.
That yielded the hash links.
Then this line works:

server -4 pi3.rellim.com nts maxpoll 5 ca /tmp  # pi3

If I delete the hash to chain.pem then it fails again.  So the hash to
cert.pem does not help.  Of the things I'd like to force, cert.pem is
the top of my list.  It is the only cert I know I can get remotely.

> That should give you the following, assuming you have the Let's
> Encrypt intermediate that chains up to IdenTrust, which is the
> certbot default: $ ls
> 4f06f81d.0  fullchain.pem
> See if that works with "ca=/tmp/certs" in ntp.conf.

Are you sure about the equal sign?  Not what "man ntp.conf" says:

       ca location
           Use the file (or directory) specified by location to validate
           NTS-KE server certificates instead of the system default root

I'm trying to go by the doc here, and not try other things.  That way I
am debugging that the doc matches the code and vice-versa.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190402/901a0214/attachment.bin>

More information about the devel mailing list