Public bug reported:
### Summary
On a fresh Ubuntu 26.04 LTS (Resolute) install, chrony cannot
synchronize using NTS because `/etc/chrony/nts-bootstrap-ubuntu.crt`
contains the **leaf server certificate** (subject=`CN=ntp-
bootstrap.ubuntu.com`) rather than the **issuing CA certificate**
(`CN=ubuntu`). This causes all NTS handshakes to fail with "The
certificate issuer is unknown", making the default NTS-only
configuration non-functional.
### Impact
Since the default `ubuntu-ntp-pools.sources` uses NTS with `prefer` on
all pools, chrony refuses to synchronize time at all on a default
install when the NTS handshake fails. The `authselectmode` default in
chrony 4.8 treats NTS sources as required, so even if non-NTS sources
are added, chrony won't use them without additional configuration
changes.
Systems that reboot with clock drift (e.g., no hardware RTC, VMs,
laptops that have been off for extended periods) are particularly
affected since NTS cannot bootstrap the clock.
### Steps to Reproduce
1. Fresh install of Ubuntu 26.04 LTS (chrony 4.8-2ubuntu1)
2. Observe `timedatectl` shows "System clock synchronized: no"
3. Check chrony logs:
```
journalctl -u chrony | grep -i "TLS\|failed"
```
Shows:
```
TLS handshake with 185.125.190.121:4460 (ntp-bootstrap.ubuntu.com) failed :
Error in the certificate verification. The certificate is NOT trusted. The
certificate issuer is unknown.
```
4. Verify the cert file is the leaf, not the CA:
```
openssl x509 -in /etc/chrony/nts-bootstrap-ubuntu.crt -noout -subject -issuer
```
Output:
```
subject=CN=ntp-bootstrap.ubuntu.com
issuer=CN=ubuntu
```
The file should contain the CA cert (subject=`CN=ubuntu`) but instead
contains the leaf cert issued *by* that CA.
5. Even with the system clock correct, NTS still fails:
```
sudo chronyd -Q 'server ntp-bootstrap.ubuntu.com iburst nts certset 1' -f
/etc/chrony/chrony.conf
```
Output:
```
TLS handshake with 185.125.190.121:4460 (ntp-bootstrap.ubuntu.com) failed :
Error in the certificate verification. The certificate is NOT trusted. The
certificate issuer is unknown.
```
### Expected Behaviour
`/etc/chrony/nts-bootstrap-ubuntu.crt` should contain the CA certificate
(`subject=CN=ubuntu`) that issued the bootstrap server's leaf cert,
allowing chrony to validate the NTS-KE TLS handshake. This worked
correctly in chrony 4.7-1ubuntu1 (Questing).
### Workaround
Comment out the NTS pools in `/etc/chrony/sources.d/ubuntu-ntp-
pools.sources` and uncomment the plain NTP pools. Add `authselectmode
mix` to `/etc/chrony/chrony.conf`.
### Environment
- Ubuntu 26.04 LTS (Resolute Raccoon)
- chrony 4.8-2ubuntu1
- Kernel: 7.0.0-15-generic
- Architecture: amd64
### Related Bugs
- LP #2115565 (DHCP sources with secure config — fixed in 4.7-1ubuntu1)
- LP #2084585 (Use Ubuntu NTS servers by default)
** Affects: chrony (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154050
Title:
Chrony ships wrong NTS cert (leaf instead of CA), breaking time sync
on boot.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2154050/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
