Raspberry Pi startup: certificate is not yet valid

countkase at yahoo.com countkase at yahoo.com
Wed May 11 15:21:17 UTC 2022 

On Wednesday, May 11, 2022, 03:31:52 AM PDT, Hal Murray via devel <devel at ntpsec.org> wrote:

> Thanks.


> > I like you suggestion of ntpd using "-g" to get the system time close, before
> > checking any certificates. 

> It was Richard's suggestion, not mine.  The idea was to only skip the date 
checks and do the rest of the certificate checking.

> I don't like it for 2 reasons.

> The main reason is that it's a hole in securty.  I don't want to clutter up 
security discussions and documentation with that very unlikely case.

> The second reason is that OpenSSL isn't setup to skip only the date check.  We 
could easily implement your version of no-check, but that would make the tiny 
security hole a big hole.

> ------

> I think the alternative is to get the clock reasonably close before running 
ntpd.

> PCs with RTC/CMOS/TOY clocks are simple.  We will have to document potential 
troubles wtih dead batteries.

> The problem is with Raspberry Pis and similar low-end systems that don't have 
a hardware clock.

> As far as I can tell, each distro does it differently.  So we will have to 
document what to do on each distro.

> > The problem I see a lot is that a lot of Pi's are started with no network
> > connection, and a bad time, so swclock is commonly used before starting ntpd.

> What is swclock?  What distros does it run on?

> I think the Linux kernel sets the clock to the build time or something similar.

> Debian/Ubuntu have fake-hwclock.  It updates the time in a file on halt and 
every hour so you have decent restart time on boot after a crash.  It's "just" 
a shell script so it should be easy to copy to other distros.

> I haven't found anything for Fedora.

> I haven't looked for FreeBSD or NetBSD.

swclock is a C program (source is at
https://github.com/OpenRC/openrc under src/swclock) and it
doesn't quite run the same way. swclock claims to use the mtime
of a file while fake-hwclock seems to use the contents of a
different file.

More information about the devel mailing list