On Tue, Sep 16, 2025 at 2:03 AM Mikhail <mikh...@zeptobars.com> wrote: > > 1) NTS keys are generated by letsencrypt/certbot and in Ubuntu are accessible > to group ssl-certs. > I can add Chrony user _chrony to group ssl-certs, and verify that user can > access the certificates. > Also, I added AppArmor exception to allow Chorny to access the keys. > Still Chrony won't be able to access the keys as Chrony seems to be stripping > group permission from itself. > > What is the valid path to making NTS work without actually copying/chown-ing > keys on schedule?
Hi Mikhail, per [1] the usual path is in /etc/chrony/*.pem which AFAIK (and hope) is also matching the usual path upstream would expect and is what you'll see in examples. That path is already open for read-only in the apparmor rules. At least our own automation [2][3] will automatically pass the private keys and store them in a compatible way - so location/permissions was never a problem I was presented with internally before. [1]: https://documentation.ubuntu.com/server/how-to/networking/serve-ntp-with-chrony/#nts-server [2]: https://github.com/canonical/chrony-operator/blob/main/lib/charms/tls_certificates_interface/v3/tls_certificates.py [3]: https://discourse.charmhub.io/t/the-tls-certificate-interface-documentation/11635 > I would prefer to keep private keys in single place. If that is your goal then I'd expect exactly what you did or considered already: - you'd point the chrony config to that new place and adapt the apparmor rules to allow chrony to read from there - to not chown the files you'd need to change the other side - the user user chrony runs with (`user` directive in chrony.conf). But both changes appear as potential security risks to me. Keeping the private keys together means once that path is exposed all of them might be exposed. Same for the permissions, I actually like that e.g. chrony can only access its own files and only those that an extra step of chown made clear it is meant to read. I'm not at all challenging what and why you do - after all there is always one more way to set up a system. But it seems like - for the comfort of having all private keys in one place - it could weaken some of the standard defenses, which explains why it isn't easy (and probably should not be). ... [snip] ... -- Christian Ehrhardt Director of Engineering, Ubuntu Server Canonical Ltd -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
