Unbound with DoT fails to verify certificates with clock drift

Started by ryp43, December 25, 2021, 11:58:54 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 25, 2021, 11:58:54 AM Last Edit: December 25, 2021, 12:07:49 PM by ryp43
Hi!

Due to a power outage, my router rebooted and its clock was set 3 months back.

Upon start-up, the Opnsense got connected but NTP failed to sync the clock due to large drift and as a result, Unbound with DoT failed to verify certificates.

Only by setting the time manually, I was able to fix both services.

It's not a robust behavior for the router. Is there a way to configure forced clock sync?

Thanks in advance
December 26, 2021, 01:07:27 AM #1
A suggestion (however, I can see the issue):

Are you using the default ntpd service? I think you can use `ntpdate`. You could schedule a cron job using:
Code Select
ntpdate

Try it from the CLI first? Set date to a wrong time, and try to issue `ntpdate`.
https://en.wikipedia.org/wiki/Ntpdate

If you have disabled the default ntpd service, by removing all of the ntp servers, and are using Chrony instead- perhaps this works:
Code Select
chronyc makestep

https://www.mankier.com/1/chronyc

However, those cron jobs should only be, in optimal conditions, only have to be used once, after a boot, where the timer is really offset (?) I do not know how to accomplish this.


A question- did you let it run for a while? Could it be that OPNsense would be able to correct itself, over time?

I myself have this scenario which I have not found a good answer for:
- I have redirected all DNS requests to Unbound, which uses DoT upstream. Even the OPNsense installation as well.
- I have redirected all NTP requests to Chrony, which uses NTS - a NTS secured NTP server uses TLS/SSL to authenticate NTP traffic on the net.
- I am unable to use my stratum-1 rpi GPS HAT enabled NTP server in conjunction with Chrony, because I am not allowed to mix NTS and non-NTS servers. Which is merely a GUI problem / because whenever you opt in to use NTS, source Selection is using `authselectmode require` and not `authselectmode mix. I think I saw a forum post about it, but I cannot find it right now. I could go the route of adding certs and stuff to the Raspberry Pi.. .

Browse down to 'Source Selection' - https://chrony.tuxfamily.org/doc/4.2/chrony.conf.html to see many options that the GUI in OPNsense does not consider =)


IN the scenario where the time would be as wrong as it was in your case, I believe I would not get any DNS answers on my network with this setup, and all my devices would also drift as well as the time would not be accepted due to I have opted in for NTS and redirected all requests to the chronyd install on OPNsense.

Merry Christmas =)
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
December 26, 2021, 08:18:52 AM #2
thanks for your time!

Are you using the default ntpd service? -yes.

Forcing sync manually with ntpdate worked.

A question- did you let it run for a while?  - the system was in a broken state for about 10hours before I attended the issue.

There is a reason why NTPD is not secured (no way to validate certificate), and this scenario is an exact example of why. So I would expect forcing time sync on network up. Please advise
December 26, 2021, 09:19:30 PM #3
Hi!

I have moved on using CHRONY (+disabled NTPD) with Cloudflare and added cron job as root to sync clock - 'chronyc makestep'.

Thanks a lot for your help!

Merry Christmas
Print
Go Up Pages1
User actions