Yo Richard! On Tue, 2 Apr 2019 20:00:27 -0500 Richard Laager via devel <devel@ntpsec.org> wrote:
> On 4/2/19 5:35 PM, Gary E. Miller via devel wrote: > > Also, still broken for me when the fullchain.pem is in /tmp: > > OpenSSL takes root certificates in two ways. Well, somehow sopme people manage to get more. > B) You can specify a directory, in which case the certificates must be > named (or more typically, symlinked) with their hash; see `openssl > rehash`. Note that the files processed by `openssl rehash` must have > one certificate per file. I'm just going by the ntp.conf doc. Which does not mention that. > Technically speaking, fullchain.pem from certbot does not contain a > root certificate. It contains the end certificate and an intermediate > CA certificate. That said, adding the intermediate as a trusted root > should still cause validation to pass. Yup. For example, technically, there is NO Let's Encrypt Root cert. They had to piggy back on other CA's: https://letsencrypt.org/certificates/ > Try something like this: > > mkdir /tmp/certs > cp /tmp/fullchain.pem /tmp/certs/ > cd /tmp/certs > > vi fullchain.pem > # Delete the first cert, (the end certificate) from the > # -----BEGIN CERTIFICATE----- line through the > # ------ END CERTIFICATE----- line, inclusive. This will leave only > the # intermediate certificate. > > openssl rehash . No joy: kong /tmp # openssl rehash . rehash: warning: skipping fullchain.pem,it does not contain exactly one certificate or CRL I'm not gonna edit .pem files, real users can't figure out how to do that. So I put the LE chain.pem and cert.pem in /tmp. Then did the rehash. That yielded the hash links. Then this line works: server -4 pi3.rellim.com nts maxpoll 5 ca /tmp # pi3 If I delete the hash to chain.pem then it fails again. So the hash to cert.pem does not help. Of the things I'd like to force, cert.pem is the top of my list. It is the only cert I know I can get remotely. > That should give you the following, assuming you have the Let's > Encrypt intermediate that chains up to IdenTrust, which is the > certbot default: $ ls > 4f06f81d.0 fullchain.pem > > See if that works with "ca=/tmp/certs" in ntp.conf. Are you sure about the equal sign? Not what "man ntp.conf" says: ca location Use the file (or directory) specified by location to validate NTS-KE server certificates instead of the system default root certificates. I'm trying to go by the doc here, and not try other things. That way I am debugging that the doc matches the code and vice-versa. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgp5117_VH9x2.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
