From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 37318@debbugs.gnu.org
Subject: bug#37318: OpenNTPD generated config is convoluted
Date: Fri, 06 Sep 2019 18:34:34 +0900 [thread overview]
Message-ID: <875zm5wyxh.fsf_-_@gmail.com> (raw)
In-Reply-To: <handler.37318.B.156773944123283.ack@debbugs.gnu.org> (GNU bug Tracking System's message of "Fri, 06 Sep 2019 03:11:02 +0000")
The problem of OpenNTPD not syncing was caused by the use of constraint
directives; ntpd would print the message (when run in debug mode with
the -v option):
--8<---------------cut here---------------start------------->8---
constraint: failed to load constraint ca
--8<---------------cut here---------------end--------------->8---
Some investigation follows.
In the sources, the block printing this message is:
#ifdef HAVE_LIBTLS
/* Init TLS and load CA certs before chroot() */
if (tls_init() == -1)
fatalx("tls_init");
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
&conf->ca_len, NULL)) == NULL)
fatalx("failed to load constraint ca");
#endif
Furthermore, CONSTRAINT_CA is set at configuration time like:
AC_ARG_WITH([cacert],
AS_HELP_STRING([--with-cacert=path],
[CA certificate location for HTTPS constraint validation]),
CONSTRAINT_CA="$withval",
CONSTRAINT_CA="/etc/ssl/cert.pem"
)
The configure flag --with-cacert is not used in our openntpd package, so
it must be configured to use the certificate authority at
/etc/ssl/cert.pem.
Let's verify this:
sudo ltrace -f -e open /gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f ~/openntpd.conf -d -s -v
[...]
[pid 20164] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20164] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 172.217.31.132 received in time, next query 900s
[pid 20165] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20165] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s
Indeed, it's reading that file, which doesn't exist.
next prev parent reply other threads:[~2019-09-06 9:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-03 4:33 bug#37318: OpenNTPD generated config is convoluted Maxim Cournoyer
[not found] ` <handler.37318.B.156773944123283.ack@debbugs.gnu.org>
2019-09-03 4:47 ` Maxim Cournoyer
2019-09-06 9:34 ` Maxim Cournoyer [this message]
2019-09-07 4:21 ` bug#37318: [PATCH] " Maxim Cournoyer
2019-09-08 8:07 ` Efraim Flashner
2019-09-10 4:04 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875zm5wyxh.fsf_-_@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=37318@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).