[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#37318: OpenNTPD generated config is convoluted
From: |
Maxim Cournoyer |
Subject: |
bug#37318: OpenNTPD generated config is convoluted |
Date: |
Fri, 06 Sep 2019 18:34:34 +0900 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) |
The problem of OpenNTPD not syncing was caused by the use of constraint
directives; ntpd would print the message (when run in debug mode with
the -v option):
--8<---------------cut here---------------start------------->8---
constraint: failed to load constraint ca
--8<---------------cut here---------------end--------------->8---
Some investigation follows.
In the sources, the block printing this message is:
#ifdef HAVE_LIBTLS
/* Init TLS and load CA certs before chroot() */
if (tls_init() == -1)
fatalx("tls_init");
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
&conf->ca_len, NULL)) == NULL)
fatalx("failed to load constraint ca");
#endif
Furthermore, CONSTRAINT_CA is set at configuration time like:
AC_ARG_WITH([cacert],
AS_HELP_STRING([--with-cacert=path],
[CA certificate location for HTTPS constraint
validation]),
CONSTRAINT_CA="$withval",
CONSTRAINT_CA="/etc/ssl/cert.pem"
)
The configure flag --with-cacert is not used in our openntpd package, so
it must be configured to use the certificate authority at
/etc/ssl/cert.pem.
Let's verify this:
sudo ltrace -f -e open
/gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f
~/openntpd.conf -d -s -v
[...]
[pid 20164] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20164] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 172.217.31.132 received in time, next query 900s
[pid 20165] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20165] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s
Indeed, it's reading that file, which doesn't exist.