Raspberry Pi startup: certificate is not yet valid

[Hal Murray]

Thanks.


> I like you suggestion of ntpd using "-g" to get the system time close, before
> checking any certificates. 

It was Richard's suggestion, not mine.  The idea was to only skip the date 
checks and do the rest of the certificate checking.

I don't like it for 2 reasons.

The main reason is that it's a hole in securty.  I don't want to clutter up 
security discussions and documentation with that very unlikely case.

The second reason is that OpenSSL isn't setup to skip only the date check.  We 
could easily implement your version of no-check, but that would make the tiny 
security hole a big hole.

------

I think the alternative is to get the clock reasonably close before running 
ntpd.

PCs with RTC/CMOS/TOY clocks are simple.  We will have to document potential 
troubles wtih dead batteries.

The problem is with Raspberry Pis and similar low-end systems that don't have 
a hardware clock.

As far as I can tell, each distro does it differently.  So we will have to 
document what to do on each distro.

> The problem I see a lot is that a lot of Pi's are started with no network
> connection, and a bad time, so swclock is commonly used before starting ntpd.

What is swclock?  What distros does it run on?

I think the Linux kernel sets the clock to the build time or something similar.

Debian/Ubuntu have fake-hwclock.  It updates the time in a file on halt and 
every hour so you have decent restart time on boot after a crash.  It's "just" 
a shell script so it should be easy to copy to other distros.

I haven't found anything for Fedora.

I haven't looked for FreeBSD or NetBSD.


-- 
These are my opinions.  I hate spam.