ntpd Certificate Loading

Sanjeev Gupta ghane0 at gmail.com
Tue Jun 9 04:42:10 UTC 2020


On Tue, Jun 9, 2020 at 12:23 PM Hal Murray <hmurray at megapathdsl.net> wrote:

> > Which causes ntpd to fail on startup (I assume after dropping root):
>
> Looks like you are dying trying to read the certificate.  It will get
> worse
> when you want to read the key.
>
> --------------
>
> Do you trust user ntp?  If so, the fix is to change ownership.  I copy the
> cert and key over to /etc/ntp/ and change to user ntp:ntp
>

I trust user ntp , it is the only user on this system, but this is a
special case :-)

But then I lose the automatic rotation :-(


> If not, things get complicated.  The current code will reload the
> certificate
> if it is updated.  Are you willing to give that up?
>
If so, we can add an
> option to read the certificate before dropping root and disable trying to
> reload.  That probably won't work with early drop root.
>

No, I want it reloaded, as LE has short-life Certs.

I can handle my case (NTPsec is rebuilt often, and the build command I use
can copy over the Cert), but what is the general case we should handle?

I would like to use LE.  Issue LE certs specifically for NTP?  But then how
is this going to be validated (NTP has no web server, and no hooks to run
certbot).

I thought with Open Source I could get anything I wanted, for free, and
NOW!  At least that is what ESR promised me in his CATB book (the way I
recall it).  :-)

 --
Sanjeev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200609/e5a825c3/attachment.htm>


More information about the devel mailing list