ntpd Certificate Loading

Sanjeev Gupta ghane0 at gmail.com
Tue Jun 9 03:27:28 UTC 2020


(git commit 892fbb435e71349da502b7e2436648f52a09af6f )

Hal, I have the other end of the stick now.

My LetsEncrypt certificate path is /etc/letsencrypt/archive/ntpmon.dcs1.biz/

The file:
-rw-r--r-- 1 root root 3558 May  9 09:39 fullchain28.pem

However,
root at ntpmon:/etc/letsencrypt# ls -dl /etc/letsencrypt/archive/
drwx------ 3 root root 4096 Jan 17  2016 /etc/letsencrypt/archive/

Which causes ntpd to fail on startup (I assume after dropping root):
<snip>

2020-06-09T11:15:58 ntpd[15250]: INIT: OpenSSL 1.1.1g  21 Apr 2020, 1010107f
2020-06-09T11:15:58 ntpd[15250]: NTSs: starting NTS-KE server listening on
port 4460
2020-06-09T11:15:58 ntpd[15250]: NTSs: OpenSSL security level is 2
2020-06-09T11:15:58 ntpd[15250]: NTSs: starting NTS-KE server listening on
old port 123
2020-06-09T11:15:58 ntpd[15250]: NTSs: listen4 worked
2020-06-09T11:15:58 ntpd[15250]: NTSs: listen6 worked
2020-06-09T11:15:58 ntpd[15250]: NTSs: starting NTS-KE server listening on
port 4460
2020-06-09T11:15:58 ntpd[15250]: NTSs: listen4 worked
2020-06-09T11:15:58 ntpd[15250]: NTSs: listen6 worked
2020-06-09T11:15:58 ntpd[15250]: NTSc: Using system default root
certificates.
2020-06-09T11:15:58 ntpd[15250]: NTSs: can't stat certificate (chain) from
/etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem: Permission denied
2020-06-09T11:15:58 ntpd[15250]: NTS: troubles during init2.  Bailing.
2020-06-09T11:15:58 ntpd[15250]: PROTO: 0.0.0.0 c01d 0d kern kernel time
sync disabled

Um, what do I do?  I want to use LE, I want that directory secure, and I
want to drop root.



-- 
Sanjeev Gupta
+65 98551208     http://www.linkedin.com/in/ghane


On Wed, Apr 8, 2020 at 12:16 AM Richard Laager via devel <devel at ntpsec.org>
wrote:

> ntpd seems to load the TLS certificate and key before dropping
> privileges. Unfortunately, when it tries to *reload* the certificate
> later, it has dropped privileges and fails. This is a bit of a trap, as
> a sysadmin can think a setup is working when it isn't. (This bit me.) I
> think it would be better to do the initial load after dropping
> privileges so that it is consistent with reloading.
>
> --
> Richard
>
> _______________________________________________
> devel mailing list
> devel at ntpsec.org
> http://lists.ntpsec.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200609/617e5168/attachment.htm>


More information about the devel mailing list