Raspberry Pi startup: certificate is not yet valid
Richard Laager
rlaager at wiktel.com
Mon May 9 08:37:00 UTC 2022
On 5/9/22 02:38, Hal Murray via devel wrote:
> Does anybody know how the initial time gets set on a Raspberry Pi -- before
> ntpd gets called?
I believe you're looking for "fake-hwclock". It periodically saves the
time to a file (allegedly* /etc/fake-hwclock.data) and restores it on boot.
* My home pi died, so I can't immediately double-check this.
> Should we do something like set the time to the time stamp of the drift file?
> (if it is significantly newer than the current time)
Probably not.
I still think we need a more comprehensive approach to this
bootstrapping problem. The problem is, I don't have the time to write
it. But I gave my thoughts before:
https://lists.ntpsec.org/pipermail/devel/2019-February/007576.html
The only update I have is that this statement is not true: "A normal CA
will not issue certificates that are valid longer than their root".
Let's Encrypt is serving a chain to the expired DST Root for enhanced
compatibility with old Android devices.
> That could backfire if, somehow, the system time got set into the future.
I had that happen once. It might have been due to a GPS rollover.
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20220509/34a05b79/attachment.bin>
More information about the devel
mailing list