From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: bug#37318: OpenNTPD generated config is convoluted Date: Fri, 06 Sep 2019 18:34:34 +0900 Message-ID: <875zm5wyxh.fsf_-_@gmail.com> References: <87r24yvw0p.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:36282) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i6Adz-0006rO-Cj for bug-guix@gnu.org; Fri, 06 Sep 2019 05:35:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i6Ady-0001Dj-8r for bug-guix@gnu.org; Fri, 06 Sep 2019 05:35:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55834) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i6Adx-0001Bs-UG for bug-guix@gnu.org; Fri, 06 Sep 2019 05:35:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1i6Adx-0007Wk-OJ for bug-guix@gnu.org; Fri, 06 Sep 2019 05:35:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: (GNU bug Tracking System's message of "Fri, 06 Sep 2019 03:11:02 +0000") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 37318@debbugs.gnu.org The problem of OpenNTPD not syncing was caused by the use of constraint directives; ntpd would print the message (when run in debug mode with the -v option): --8<---------------cut here---------------start------------->8--- constraint: failed to load constraint ca --8<---------------cut here---------------end--------------->8--- Some investigation follows. In the sources, the block printing this message is: #ifdef HAVE_LIBTLS /* Init TLS and load CA certs before chroot() */ if (tls_init() == -1) fatalx("tls_init"); if ((conf->ca = tls_load_file(CONSTRAINT_CA, &conf->ca_len, NULL)) == NULL) fatalx("failed to load constraint ca"); #endif Furthermore, CONSTRAINT_CA is set at configuration time like: AC_ARG_WITH([cacert], AS_HELP_STRING([--with-cacert=path], [CA certificate location for HTTPS constraint validation]), CONSTRAINT_CA="$withval", CONSTRAINT_CA="/etc/ssl/cert.pem" ) The configure flag --with-cacert is not used in our openntpd package, so it must be configured to use the certificate authority at /etc/ssl/cert.pem. Let's verify this: sudo ltrace -f -e open /gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f ~/openntpd.conf -d -s -v [...] [pid 20164] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1 constraint: failed to load constraint ca [pid 20164] +++ exited (status 1) +++ [pid 20161] --- SIGCHLD (Child exited) --- no constraint reply from 172.217.31.132 received in time, next query 900s [pid 20165] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1 constraint: failed to load constraint ca [pid 20165] +++ exited (status 1) +++ [pid 20161] --- SIGCHLD (Child exited) --- no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s Indeed, it's reading that file, which doesn't exist.