[Bug 2152270] [NEW] nts-bootstrap-ubuntu.crt missing CN=ubuntu CA cert, NTS sync fails on fresh install

Tue, 12 May 2026 20:25:39 -0700 

Public bug reported:

On a fresh Ubuntu 26.04 (Resolute) install, chrony cannot synchronise 
using NTS because /etc/chrony/nts-bootstrap-ubuntu.crt only contains 
the server certificate (CN=ntp-bootstrap.ubuntu.com) but is missing 
the CA certificate (CN=ubuntu) that signed it.

Steps to reproduce:
1. Fresh Ubuntu 26.04 install
2. Check: grep -c "BEGIN CERTIFICATE" /etc/chrony/nts-bootstrap-ubuntu.crt
3. Result: 1 (should be 2 — server cert + CA cert)
4. chronyc sources -v shows all sources as '?' with Reach: 0
5. timedatectl shows: System clock synchronized: no

Confirmed with:
- openssl verify -CAfile /etc/chrony/nts-bootstrap-ubuntu.crt \
    /etc/chrony/nts-bootstrap-ubuntu.crt
- Result: error 20: unable to get local issuer certificate

The server (ntp-bootstrap.ubuntu.com:4460) also only sends 1 cert,
so the CA must be pre-installed locally — but it isn't.

Workaround: remove 'nts prefer' and 'nts certset 1' from
/etc/chrony/sources.d/ubuntu-ntp-pools.sources to fall back to plain NTP.

Package: chrony 4.8-2ubuntu1

ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: chrony 4.8-2ubuntu1
ProcVersionSignature: Ubuntu 7.0.0-15.15-generic 7.0.0
Uname: Linux 7.0.0-15-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue May 12 21:15:19 2026
InstallationDate: Installed on 2026-05-11 (1 days ago)
InstallationMedia: Ubuntu 26.04 "Resolute Raccoon" - Release amd64 (20260423.1)
ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
SourcePackage: chrony
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: chrony (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug resolute wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2152270

Title:
  nts-bootstrap-ubuntu.crt missing CN=ubuntu CA cert, NTS sync fails on
  fresh install

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2152270/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to