Unbound with DoT fails to verify certificates with clock drift

[ryp43]

Hi!

Due to a power outage, my router rebooted and its clock was set 3 months back.

Upon start-up, the Opnsense got connected but NTP failed to sync the clock due to large drift and as a result, Unbound with DoT failed to verify certificates.

Only by setting the time manually, I was able to fix both services.

It's not a robust behavior for the router. Is there a way to configure forced clock sync?

Thanks in advance

[koushun]

A suggestion (however, I can see the issue):

Are you using the default ntpd service? I think you can use `ntpdate`. You could schedule a cron job using:

Code: [Select]

ntpdate
Try it from the CLI first? Set date to a wrong time, and try to issue `ntpdate`.
https://en.wikipedia.org/wiki/Ntpdate

If you have disabled the default ntpd service, by removing all of the ntp servers, and are using Chrony instead- perhaps this works:

Code: [Select]

chronyc makestep
https://www.mankier.com/1/chronyc

However, those cron jobs should only be, in optimal conditions, only have to be used once, after a boot, where the timer is really offset (?) I do not know how to accomplish this.


A question- did you let it run for a while? Could it be that OPNsense would be able to correct itself, over time?

I myself have this scenario which I have not found a good answer for:
- I have redirected all DNS requests to Unbound, which uses DoT upstream. Even the OPNsense installation as well.
- I have redirected all NTP requests to Chrony, which uses NTS - a NTS secured NTP server uses TLS/SSL to authenticate NTP traffic on the net.
- I am unable to use my stratum-1 rpi GPS HAT enabled NTP server in conjunction with Chrony, because I am not allowed to mix NTS and non-NTS servers. Which is merely a GUI problem / because whenever you opt in to use NTS, source Selection is using `authselectmode require` and not `authselectmode mix. I think I saw a forum post about it, but I cannot find it right now. I could go the route of adding certs and stuff to the Raspberry Pi.. .

Browse down to 'Source Selection' - https://chrony.tuxfamily.org/doc/4.2/chrony.conf.html to see many options that the GUI in OPNsense does not consider =)


IN the scenario where the time would be as wrong as it was in your case, I believe I would not get any DNS answers on my network with this setup, and all my devices would also drift as well as the time would not be accepted due to I have opted in for NTS and redirected all requests to the chronyd install on OPNsense.

Merry Christmas =)

[ryp43]

thanks for your time!

Are you using the default ntpd service? -yes.

Forcing sync manually with ntpdate worked.

A question- did you let it run for a while?  - the system was in a broken state for about 10hours before I attended the issue.

There is a reason why NTPD is not secured (no way to validate certificate), and this scenario is an exact example of why. So I would expect forcing time sync on network up. Please advise

[ryp43]

Hi!

I have moved on using CHRONY (+disabled NTPD) with Cloudflare and added cron job as root to sync clock - 'chronyc makestep'.

Thanks a lot for your help!

Merry Christmas