GNU bug report logs -
#37318
OpenNTPD generated config is convoluted
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 37318 in the body.
You can then email your comments to 37318 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#37318
; Package
guix
.
(Fri, 06 Sep 2019 03:11:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 06 Sep 2019 03:11:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
For the documented following openntpd-service-type definition:
--8<---------------cut here---------------start------------->8---
(openntpd-configuration
(listen-on '("127.0.0.1" "::1"))
(sensor '("udcf0 correction 70000"))
(constraint-from '("www.gnu.org"))
(constraints-from '("https://www.google.com/"))
(allow-large-adjustment? #t)))
--8<---------------cut here---------------end--------------->8---
The following configuration file is generated:
--8<---------------cut here---------------start------------->8---
listen on 127.0.0.1
listen on ::1
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
sensor udcf0 correction 70000
constraints from "https://www.google.com/"
server 0.guix.pool.ntp.org
server 1.guix.pool.ntp.org
server 2.guix.pool.ntp.org
server 3.guix.pool.ntp.org
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
constraint from www.gnu.org
--8<---------------cut here---------------end--------------->8---
Notice the repeated "constraints from" directives.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#37318
; Package
guix
.
(Fri, 06 Sep 2019 03:24:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 37318 <at> debbugs.gnu.org (full text, mbox):
I also can't seem to make it sync, see my test below.
Tests:
# Set the date to somewhere in the past
sudo date -s 'Tue Sep 3 12:00:00 JST 2019'
# Set the hwclock to the same wrong date
sudo hwclock --systohc
Then I launched (open)ntpd manually in verbose mode:
sudo /gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f /gnu/store/v2cqcxliivrcn1rlz78p6mg21k7pxyrx-ntpd.conf -d -s -v
adjtimex returns frequency of 27.512100ppm
listening on 127.0.0.1
listening on ::1
ntp engine ready
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2001:470:142:3::a received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
constraint: failed to load constraint ca
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
constraint: failed to load constraint ca
no constraint reply from 209.51.188.148 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no reply received in time, skipping initial time setting
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next query 900s
no constraint reply from 172.217.31.132 received in time, next query 900s
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s
cat /gnu/store/v2cqcxliivrcn1rlz78p6mg21k7pxyrx-ntpd.conf
listen on 127.0.0.1
listen on ::1
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
sensor udcf0 correction 70000
constraints from "https://www.google.com/"
server 0.guix.pool.ntp.org
server 1.guix.pool.ntp.org
server 2.guix.pool.ntp.org
server 3.guix.pool.ntp.org
constraints from "https://www.google.com/"
constraints from "https://www.google.com/"
constraint from www.gnu.org
Many tens of minutes later my date is still stuck in the past (despite
using the "-s" flag, which is supposed to set the time immediately
rather than slowly at startup).
Am I missing something?
Maxim
Information forwarded
to
bug-guix <at> gnu.org
:
bug#37318
; Package
guix
.
(Fri, 06 Sep 2019 09:35:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 37318 <at> debbugs.gnu.org (full text, mbox):
The problem of OpenNTPD not syncing was caused by the use of constraint
directives; ntpd would print the message (when run in debug mode with
the -v option):
--8<---------------cut here---------------start------------->8---
constraint: failed to load constraint ca
--8<---------------cut here---------------end--------------->8---
Some investigation follows.
In the sources, the block printing this message is:
#ifdef HAVE_LIBTLS
/* Init TLS and load CA certs before chroot() */
if (tls_init() == -1)
fatalx("tls_init");
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
&conf->ca_len, NULL)) == NULL)
fatalx("failed to load constraint ca");
#endif
Furthermore, CONSTRAINT_CA is set at configuration time like:
AC_ARG_WITH([cacert],
AS_HELP_STRING([--with-cacert=path],
[CA certificate location for HTTPS constraint validation]),
CONSTRAINT_CA="$withval",
CONSTRAINT_CA="/etc/ssl/cert.pem"
)
The configure flag --with-cacert is not used in our openntpd package, so
it must be configured to use the certificate authority at
/etc/ssl/cert.pem.
Let's verify this:
sudo ltrace -f -e open /gnu/store/j4abi03pc4b0gfs2mlbzyd6g9bjqphyc-openntpd-6.2p3/sbin/ntpd -f ~/openntpd.conf -d -s -v
[...]
[pid 20164] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20164] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 172.217.31.132 received in time, next query 900s
[pid 20165] libtls.so.17->open("/etc/ssl/cert.pem", 0, 00) = -1
constraint: failed to load constraint ca
[pid 20165] +++ exited (status 1) +++
[pid 20161] --- SIGCHLD (Child exited) ---
no constraint reply from 2404:6800:4004:818::2004 received in time, next
query 900s
Indeed, it's reading that file, which doesn't exist.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#37318
; Package
guix
.
(Sat, 07 Sep 2019 04:22:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 37318 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
The attached patches fix this issue as well as the openntpd package not
being able to load the CA cert used to authenticate constraint servers.
It depends on the NTP patches posted here: bugs.gnu.org/37295.
[0001-gnu-openntpd-Fix-error-CA-errors-when-using-constrai.patch (text/x-patch, attachment)]
[0002-services-openntpd-Remove-useless-let.patch (text/x-patch, attachment)]
[0003-services-openntpd-Add-test-for-issue-3731.patch (text/x-patch, attachment)]
[0004-services-openntpd-Fix-the-config-generation-code.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#37318
; Package
guix
.
(Sun, 08 Sep 2019 08:08:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 37318 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Sep 07, 2019 at 01:21:27PM +0900, Maxim Cournoyer wrote:
> Hello,
>
> The attached patches fix this issue as well as the openntpd package not
> being able to load the CA cert used to authenticate constraint servers.
>
> It depends on the NTP patches posted here: bugs.gnu.org/37295.
>
This set also looks good to me. Make sure you don't forget any copyright
lines for yourself.
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Tue, 10 Sep 2019 04:05:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
bug acknowledged by developer.
(Tue, 10 Sep 2019 04:05:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 37318-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Efraim Flashner <efraim <at> flashner.co.il> writes:
> On Sat, Sep 07, 2019 at 01:21:27PM +0900, Maxim Cournoyer wrote:
>> Hello,
>>
>> The attached patches fix this issue as well as the openntpd package not
>> being able to load the CA cert used to authenticate constraint servers.
>>
>> It depends on the NTP patches posted here: bugs.gnu.org/37295.
>>
>
> This set also looks good to me. Make sure you don't forget any copyright
> lines for yourself.
I thought I had answered already, but it seems my reply wasn't sent.
Fixed in commit cccdfae388d61f2263a085a4ddac8cb2919d01531. Thanks for
the review!
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Tue, 08 Oct 2019 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 201 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.