1) NTS keys are generated by letsencrypt/certbot and in Ubuntu are accessible to group ssl-certs. I can add Chrony user _chrony to group ssl-certs, and verify that user can access the certificates. Also, I added AppArmor exception to allow Chorny to access the keys. Still Chrony won't be able to access the keys as Chrony seems to be stripping group permission from itself.
What is the valid path to making NTS work without actually copying/chown-ing keys on schedule? I would prefer to keep private keys in single place. 2) Will chrony see that keys are updated, or he will need to have keys reloaded in a script? -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
