The problem of OpenNTPD not syncing was caused by the use of constraint
directives; ntpd would print the message (when run in debug mode with
the -v option):

--8<---------------cut here---------------start------------->8---
constraint: failed to load constraint ca
--8<---------------cut here---------------end--------------->8---

Some investigation follows.

In the sources, the block printing this message is:

#ifdef HAVE_LIBTLS
        /* Init TLS and load CA certs before chroot() */
        if (tls_init() == -1)
                fatalx("tls_init");
        if ((conf->ca = tls_load_file(CONSTRAINT_CA,
            &conf->ca_len, NULL)) == NULL)
                fatalx("failed to load constraint ca");
#endif

Furthermore, CONSTRAINT_CA is set at configuration time like:

AC_ARG_WITH([cacert],
        AS_HELP_STRING([--with-cacert=path],
                       [CA certificate location for HTTPS constraint 
validation]),
        CONSTRAINT_CA="$withval",
        CONSTRAINT_CA="/etc/ssl/cert.pem"
)

The configure flag --with-cacert is not used in our openntpd package, so
it must be configured to use the certificate authority at
/etc/ssl/cert.pem.


Let's verify this:

sudo ltrace -f -e open 
/gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f 
~/openntpd.conf -d -s -v
[...]
[pid 20164] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20164] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 172.217.31.132 received in time, next query 900s
[pid 20165] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20165] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s

Indeed, it's reading that file, which doesn't exist.



Reply via email to