NTS update

Gary E. Miller gem at rellim.com
Wed Mar 20 23:45:54 UTC 2019 

Yo Hal!

On Wed, 20 Mar 2019 16:28:36 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> > I added this to my ntp.conf:
> >     nts enable
> >     cert /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
> >     key /etc/letsencrypt/live/kong.rellim.com/privkey.pem
> > Fail.   
> 
> You need "nts" in front of the cert and key.  Or else one loong
> line.  There is no "cert" top level command.

Ah, the man page is unclear on that:

       nts [enable|disable] [mintls version] [maxtls version] [tlsciphers
       name] [tlsciphersuites name]

No mention of cert or key there.

Also, the man page makes no mention of default cert in: /etc/ntp/cert-chain.pem

> If you specify a log file in your ntp.conf, the error messages from
> parsing ntp.conf end up in /var/log/messages (or wherever your system
> puts syslog) -- chicken and egg.  I'll bet you find error messages if
> you look for them.

Which is where I got the error message that I sent you.

> > That should prolly mention tcp, as udp 123 is also used.  
> 
> Is "listen" used with UDP?

Yes, how else does ntpd get messages on UDP 123?

> > What is "NTSs"?  
> 
> Eric put XXX: on the front of all the msyslog messages.  The final
> "s" is for server side messages.  There are some with "c" for client
> side.

Weird.  I thought we agreed to use NTS-KE, not NTS?  Needs to be on the
man page.

So, now I have to ntpd with NTS-KE running.  But, new issues.

I changed this:

server 204.17.205.8 maxpoll 5 # spidey

To this:

server 204.17.205.8 nts maxpoll 5 # spidey

Now the server starts as before, then, silently dies...

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190320/09f15401/attachment-0001.bin>

More information about the devel mailing list