NTS-KE req fail

[Achim Gratz]

Udo van den Heuvel via devel writes:
> Ah, thanks, then I find:
>
> NTSc: certificate invalid: 10=>certificate has expired

How about you post the log for the whole key exchange and not always
just a single line and the another one in the next mail?  Here's what
that looks like here:

2020-02-23T07:38:09 ntpd[1882]: NTSc: DNS lookup of pi3.rellim.com took 0.002 sec
2020-02-23T07:38:09 ntpd[1882]: NTSc: nts_probe connecting to pi3.rellim.com:123 => 204.17.205.23:123
2020-02-23T07:38:09 ntpd[1882]: NTSc: set cert host: pi3.rellim.com
2020-02-23T07:38:09 ntpd[1882]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256)
2020-02-23T07:38:09 ntpd[1882]: NTSc: certificate subject name: /CN=pi3.rellim.com
2020-02-23T07:38:09 ntpd[1882]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2020-02-23T07:38:09 ntpd[1882]: NTSc: certificate is valid.
2020-02-23T07:38:09 ntpd[1882]: NTSc: Good ALPN ntske/1 (7) from pi3.rellim.com
2020-02-23T07:38:09 ntpd[1882]: NTSc: read 880 bytes
2020-02-23T07:38:09 ntpd[1882]: NTSc: Got 8 cookies, length 104, aead=15.
2020-02-23T07:38:09 ntpd[1882]: NTSc: NTS-KE req to pi3.rellim.com took 0.752 sec, OK

> is that a local expiration or a remote one?

It's always the expiration of the certificate from the remote end,
potentially followed through the cert chain.  However, it is extremely
unlikely that any of the intermediate certs has expired, that would
instantly kill every cert signed by that CA.  Unless you've set up your
own CA, you don't have a local cert for anything anyway.

Based on you past failure reports I'd suggest that something's amiss
with the setup of your chroot environment again.  Either that or your
clock is way off into the future.



Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds