Hi!
Due to a power outage, my router rebooted and its clock was set 3 months back.
Upon start-up, the Opnsense got connected but NTP failed to sync the clock due to large drift and as a result, Unbound with DoT failed to verify certificates.
Only by setting the time manually, I was able to fix both services.
It's not a robust behavior for the router. Is there a way to configure forced clock sync?
Thanks in advance
A suggestion (however, I can see the issue):
Are you using the default ntpd service? I think you can use `ntpdate`. You could schedule a cron job using:
ntpdate
Try it from the CLI first? Set date to a wrong time, and try to issue `ntpdate`.
https://en.wikipedia.org/wiki/Ntpdate
If you have disabled the default ntpd service, by removing all of the ntp servers, and are using Chrony instead- perhaps this works:
chronyc makestep
https://www.mankier.com/1/chronyc
However, those cron jobs should only be, in optimal conditions, only have to be used once, after a boot, where the timer is really offset (?) I do not know how to accomplish this.
A question- did you let it run for a while? Could it be that OPNsense would be able to correct itself, over time?
I myself have this scenario which I have not found a good answer for:
- I have redirected all DNS requests to Unbound, which uses DoT upstream. Even the OPNsense installation as well.
- I have redirected all NTP requests to Chrony, which uses NTS - a NTS secured NTP server uses TLS/SSL to authenticate NTP traffic on the net.
- I am unable to use my stratum-1 rpi GPS HAT enabled NTP server in conjunction with Chrony, because I am not allowed to mix NTS and non-NTS servers. Which is merely a GUI problem / because whenever you opt in to use NTS, source Selection is using `authselectmode require` and not `authselectmode mix. I think I saw a forum post about it, but I cannot find it right now. I could go the route of adding certs and stuff to the Raspberry Pi.. .
Browse down to 'Source Selection' - https://chrony.tuxfamily.org/doc/4.2/chrony.conf.html to see many options that the GUI in OPNsense does not consider =)
IN the scenario where the time would be as wrong as it was in your case, I believe I would not get any DNS answers on my network with this setup, and all my devices would also drift as well as the time would not be accepted due to I have opted in for NTS and redirected all requests to the chronyd install on OPNsense.
Merry Christmas =)
thanks for your time!
Are you using the default ntpd service? -yes.
Forcing sync manually with ntpdate worked.
A question- did you let it run for a while? - the system was in a broken state for about 10hours before I attended the issue.
There is a reason why NTPD is not secured (no way to validate certificate), and this scenario is an exact example of why. So I would expect forcing time sync on network up. Please advise
Hi!
I have moved on using CHRONY (+disabled NTPD) with Cloudflare and added cron job as root to sync clock - 'chronyc makestep'.
Thanks a lot for your help!
Merry Christmas