Raspberry Pi startup: certificate is not yet valid

Gary E. Miller gem at rellim.com
Tue May 10 18:01:36 UTC 2022


Yo Hal!

On Tue, 10 May 2022 10:26:08 -0700
Hal Murray <halmurray at sonic.net> wrote:

> Gary said:
> >> Should we do something like set the time to the time stamp of the
> >> drift file? (if it is significantly newer than the current time)  
> 
> > Nope.  Don't get in a fight with the OS.   
> 
> Could you please say more.

Be careful whjat you ask for.

> The whole purpose of ntpsec is to keep good time.

Yes, but so many other tasks also may think that is their job.  When two
fight, bad things happen.  It is the job of the OS, using it RC method
(OpenRC, systemd(umb), launchd, etc.) to pick the right programs, in the
right order, to keep time on that host.

> If we know the
> clock is way off, what's wrong with taking a big step to get a lot
> closer so certificate checking has a better chance of working?

Nothing at all, once the system RC has tol ntpsec that system time is
its job, then ntpsec needs to do the best job it can.

I like you suggestion of ntpd using "-g" to get the system time close,
before checking any certificates.

The problem I see a lot is that a lot of Pi's are started with no
network connection, and a bad time, so swclock is commonly used
before starting ntpd.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20220510/140116f4/attachment.bin>


More information about the devel mailing list