On Mon, Jan 02, 2017 at 03:59:51PM +0100, Matthieu Herrb wrote: > Hi, > > running -current on amd64 and i386 with the default /etc/ntpd.conf, > ntpd doesn't send any NTP request and doesn't sync the clock... > > mirrorball% ntpctl -sa > 0/4 peers valid, clock unsynced > > peer > wt tl st next poll offset delay jitter > 151.80.19.218 from pool pool.ntp.org > 1 2 - 0s 0s ---- peer not valid ---- > 37.187.104.44 from pool pool.ntp.org > 1 2 - 0s 0s ---- peer not valid ---- > 37.187.2.84 from pool pool.ntp.org > 1 2 - 0s 0s ---- peer not valid ---- > 163.172.163.169 from pool pool.ntp.org > 1 2 - 0s 0s ---- peer not valid ---- > > tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port.... >
Looking a bit more, this is caused by a cert validation failure during constraints checks. mirrorball% doas ntpd -d -v ntp engine ready constraint request to 74.125.232.243 constraint request to 74.125.232.240 constraint request to 74.125.232.242 constraint request to 74.125.232.244 constraint request to 2a00:1450:4010:c03::6a constraint request to 74.125.232.241 tls write failed: 74.125.232.243 (www.google.com): certificate verification failed: certificate not trusted tls write failed: 74.125.232.240 (www.google.com): certificate verification failed: certificate not trusted no constraint reply from 74.125.232.243 received in time, next query 900s tls write failed: 74.125.232.242 (www.google.com): certificate verification failed: certificate not trusted no constraint reply from 74.125.232.240 received in time, next query 900s tls write failed: 74.125.232.244 (www.google.com): certificate verification failed: certificate not trusted no constraint reply from 74.125.232.242 received in time, next query 900s tls write failed: 74.125.232.241 (www.google.com): certificate verification failed: certificate not trusted no constraint reply from 74.125.232.244 received in time, next query 900s no constraint reply from 74.125.232.241 received in time, next query 900s tls write failed: 2a00:1450:4010:c03::6a (www.google.com): certificate verification failed: certificate not trusted no constraint reply from 2a00:1450:4010:c03::6a received in time, next query 900s The www.google.com certificate fails verification because the 'Equifax Secure Certificate Authority' root CA certificate that is on top of the www.google.com certificate chain is missing from newer /etc/ssl/cert.pem. -- Matthieu Herrb
