ntpd Certificate Loading

[Sanjeev Gupta]

Hal,

I have solved the issue for now, by changing the group of the live/and
archive/ directories in /etc/letsencrypt to ntp,and giving the group read
permissions.


root at ntpmon:/etc/letsencrypt# ls -l
total 36
drwx------ 4 root root 4096 Oct 21  2018 accounts
drwxr-x--- 3 root ntp  4096 Jan 17  2016 archive
-rw-r--r-- 1 root root  121 Jan 10  2018 cli.ini
drwxr-xr-x 2 root root 4096 May  9 09:39 csr
drwx------ 2 root root 4096 May  9 09:39 keys
drwxr-x--- 3 root ntp  4096 Jan 17  2016 live
-rw-r--r-- 1 root root  924 May  9 09:39 options-ssl-apache.conf
drwxr-xr-x 2 root root 4096 May  9 09:39 renewal
drwxr-xr-x 5 root root 4096 Oct 21  2017 renewal-hooks

We need to add this to the NTS Howto.  Let me draft some language.

-- 
Sanjeev Gupta
+65 98551208     http://www.linkedin.com/in/ghane


On Tue, Jun 9, 2020 at 12:23 PM Hal Murray <hmurray at megapathdsl.net> wrote:

> > Which causes ntpd to fail on startup (I assume after dropping root):
>
> Looks like you are dying trying to read the certificate.  It will get
> worse
> when you want to read the key.
>
> --------------
>
> Do you trust user ntp?  If so, the fix is to change ownership.  I copy the
> cert and key over to /etc/ntp/ and change to user ntp:ntp
>
>
> If not, things get complicated.  The current code will reload the
> certificate
> if it is updated.  Are you willing to give that up?  If so, we can add an
> option to read the certificate before dropping root and disable trying to
> reload.  That probably won't work with early drop root.
>
>
> --
> These are my opinions.  I hate spam.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200610/f44dbf96/attachment.htm>