<div dir="ltr"><div>Hal,</div><div><br></div><div>I have solved the issue for now, by changing the group of the live/and archive/ directories in /etc/letsencrypt to ntp,and giving the group read permissions.</div><div><br></div><div><br>root@ntpmon:/etc/letsencrypt# ls -l<br>total 36<br>drwx------ 4 root root 4096 Oct 21 2018 accounts<br>drwxr-x--- 3 root ntp 4096 Jan 17 2016 archive<br>-rw-r--r-- 1 root root 121 Jan 10 2018 cli.ini<br>drwxr-xr-x 2 root root 4096 May 9 09:39 csr<br>drwx------ 2 root root 4096 May 9 09:39 keys<br>drwxr-x--- 3 root ntp 4096 Jan 17 2016 live<br>-rw-r--r-- 1 root root 924 May 9 09:39 options-ssl-apache.conf<br>drwxr-xr-x 2 root root 4096 May 9 09:39 renewal<br>drwxr-xr-x 5 root root 4096 Oct 21 2017 renewal-hooks<br> </div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div><div class="gmail_signature" data-smartmail="gmail_signature">We need to add this to the NTS Howto. Let me draft some language.<br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">-- <br>Sanjeev Gupta<br>+65 98551208 <a href="http://www.linkedin.com/in/ghane" target="_blank">http://www.linkedin.com/in/ghane</a></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jun 9, 2020 at 12:23 PM Hal Murray <<a href="mailto:hmurray@megapathdsl.net">hmurray@megapathdsl.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> Which causes ntpd to fail on startup (I assume after dropping root):<br>
<br>
Looks like you are dying trying to read the certificate. It will get worse <br>
when you want to read the key.<br>
<br>
--------------<br>
<br>
Do you trust user ntp? If so, the fix is to change ownership. I copy the <br>
cert and key over to /etc/ntp/ and change to user ntp:ntp<br>
<br>
<br>
If not, things get complicated. The current code will reload the certificate <br>
if it is updated. Are you willing to give that up? If so, we can add an <br>
option to read the certificate before dropping root and disable trying to <br>
reload. That probably won't work with early drop root.<br>
<br>
<br>
-- <br>
These are my opinions. I hate spam.<br>
<br>
<br>
<br>
</blockquote></div>