Self Signed Certs
Hal Murray
hmurray at megapathdsl.net
Thu May 7 20:10:12 UTC 2020
If I read things correctly, you are signing the server's certificate with your
root certificate. I tested with an intermediate cert in there. I don't know
any reason your case won't work, but it's not how I tested things.
[on server]
2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
I think the "alert" is trying to tell you that it is relaying a message from
the client. The client bailed because it can't verify your certificate.
[on client]
server pluto nts ca /var/lib/ntp/certs/
That's a directory rather than a file. Again, not how I test things, but I
don't see any reason it won't work.
I assume you put the servers root certificate in there.
There is some dance you have to go through to setup a directory. OpenSSL uses
a hash. There is a utility that finds the certificates and sets up links from
the hash name to the real certificate, or something like that.
It seemed simpler to avoid that step by using a file rather than directory.
server <server-FQDN> nts ca <file-name-for-root-cert>
---------
The name you use on the server line has to match the name in the certificate.
Usually, that is a FQDN. I tested using example.com. Again, I don't know any
reason why a short name won't work but it's not how I tested things.
--
These are my opinions. I hate spam.
More information about the devel
mailing list