> The server (ntp-bootstrap.ubuntu.com:4460) also only sends 1 cert, > so the CA must be pre-installed locally — but it isn't.
Normally, we need the CA, yes. But in this case, we are telling chrony that this very specific server certificate is trusted: In /etc/chrony/conf.d/ubuntu-nts.conf: # This CA is needed for the Ubuntu NTS bootstrap servers. (...) ntstrustedcerts 1 /etc/chrony/nts-bootstrap-ubuntu.crt The comment in that file is wrong in the sense that this is not a CA, but just a server certificate, and that is my original mistake back when this was introduced. Are you getting a specific chrony error in the logs? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2152270 Title: nts-bootstrap-ubuntu.crt missing CN=ubuntu CA cert, NTS sync fails on fresh install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2152270/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
