Chrony - NTS server

Started by abulafia, December 06, 2022, 10:37:20 PM

Previous topic - Next topic
December 06, 2022, 10:37:20 PM Last Edit: December 28, 2022, 04:32:03 PM by abulafia
I noticed that the standard installation of the chrony plugin may not work as an NTS server. Can't tell for sure as I am not using a clean install. So putting this out here in case (1) it helps someone and/or (2) someone can help me improve / simplify my setup.

my issues:
chrony clients could not connect because of certificate errors.
1. the chrony plugin in server mode needs read access to the certificate and key. Without it, I got the following error:
# chronyd -Q -t 3 'server [myserver] iburst nts maxsamples 1'
...
... TLS handshake with [myserver] failed : The TLS connection was non-properly terminated.
...


2. the certificate needs to be the full chain. Without it, I got
# chronyd -Q -t 3 'server [myserver] iburst nts maxsamples 1'
...
... TLS handshake with [myserver] failed : Error in the certificate verification. The certificate is NOT trusted. The certificate issuer is unknown....


3. the standard OPNsense certificate & key at /var/etc/cert.pem / ..key.pem are read root only. I did not want to grant chrony access to it or include chrony in the "wheel" group.

What did I do?

1. set up a DNS alias for time.MYDOMAIN.TLD
2. set up a separate letsencrypt certificate for time.MYDOMAIN.TLD
3. set up an automation to have the certificate (full chain + key) be copied over to /var/lib/chrony and chmod those to chronyd and restart chrony:
a) set up the following backend action (https://docs.opnsense.org/development/backend/configd.html):
[NTS_renewal]
command:cp /var/etc/acme-client/home/time.XXXXX/fullchain.cer /var/lib/chrony/chrony.fullchain.cer && cp /var/etc/acme-client/home/time.XXXXX/time.XXXXX.key /var/lib/chrony/chrony.key && cp /var/etc/acme-client/home/time.XXXXX/time.XXXXX.cer /var/lib/chrony/chrony.cer && chown chronyd /var/lib/chrony/chrony.key /var/lib/chrony/chrony.cer /var/lib/chrony/chrony.fullchain.cer && /usr/local/etc/rc.d/chronyd stop && /usr/local/etc/rc.d/chronyd start
type:script
message: copy NTS certificates into chrony directory and make them readable
description: Renew NTS certificate & restart chrony (all in one go)

b) enable it: service configd restart
c) setup an automation using this action in the ACME client for the NTS certificate.
4. Point chrony to his certificate and key:
ntsservercert /var/lib/chrony/chrony.fullchain.cer
ntsserverkey /var/lib/chrony/chrony.key

(not sure this will persist an update of the plugin though ...)

Now it seems to work. Hooray!  :D

resources:
- https://docs.opnsense.org/development/backend/configd.html
- https://unix.stackexchange.com/questions/712784/chrony-fails-to-sync-with-nts-enabled

pinging @mimugmail in case some of this could be intregrated into the plugin itself (as it purports to create a working NTS server which it _may_ not do).

Especially, it seems that the manual edits to the config file - specifically the "ntsservercert" / "ntsserverkey" part -- seem to be over-written ...