我已经在两台 Centos 9 Stream 机器上配置了 Chrony 服务器和客户端。如果没有 NTS,一切都很好,并且时间正在同步。但是,当我启用 NTS 并将服务器配置为使用证书时,同步失败。知道可能是什么问题吗?以下是服务器和客户端配置:
服务器:
[root@server1 ~]# cat /etc/chrony.conf
pool 2.centos.pool.ntp.org iburst
sourcedir /run/chrony-dhcp
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow 192.168.11.0/24
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
ntsserverkey /etc/certs/chrony.key
ntsservercert /etc/certs/chrony.crt
[root@server1 ~]# cat /etc/chrony.keys
1 MD5 AVeryLongAndRandomPassword
客户:
[root@client1 ~]# cat /etc/chrony.conf
sourcedir /run/chrony-dhcp
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
server server1 iburst nts
[root@client1 ~]# cat /etc/chrony.keys
1 MD5 AVeryLongAndRandomPassword
同步测试:
[root@client1 ~]# chronyd -Q -t 3 'server server1 iburst nts maxsamples 1'
2022-08-06T23:23:52Z chronyd version 4.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
2022-08-06T23:23:52Z Disabled control of system clock
2022-08-06T23:23:52Z TLS handshake with 192.168.11.29:4460 (server1) failed : The TLS connection was non-properly terminated.
2022-08-06T23:23:55Z chronyd exiting
检查捕获时,似乎服务器在收到客户端hello后终止了连接:
答案1
您的 NTS 服务器使用的证书是否受您的客户端信任?我尝试重现您的配置,并且能够使事情正常运行。
服务器设置
我首先生成一个供服务器使用的自签名证书:
server# cd /etc/chrony
server# openssl req -x509 -nodes -newkey rsa:4096 \
-keyout chrony.key -out chrony.crt \
-sha256 -days 365 -subj /CN=server1
我这样配置服务器:
pool 2.centos.pool.ntp.org iburst
sourcedir /run/chrony-dhcp
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow 192.168.11.0/24
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
ntsserverkey /etc/certs/chrony.key
ntsservercert /etc/certs/chrony.crt
我以调试模式启动服务器来测试它并看到错误(“无法设置凭据”)。
server# chronyd -d
2022-08-08T00:54:52Z chronyd version 4.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
2022-08-08T00:54:52Z Frequency 0.765 +/- 3.876 ppm read from /var/lib/chrony/drift
2022-08-08T00:54:52Z Could not set credentials : Error while reading file.
2022-08-08T00:54:52Z Using right/UTC timezone to obtain leap second data
/etc/certs/chrony.key该错误是由 root 和 mode 拥有的权限引起的0600。我让它归用户所有
chrony:
server# chown chrony /etc/certs/*
chronyd -d现在,当我在服务器上启动时,它运行时没有错误。
客户端设置
在客户端,我使用了你的配置文件:
sourcedir /run/chrony-dhcp
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
server server1 iburst nts
当我第一次尝试启动时chronyd -d,我看到以下错误:
2022-08-08T01:01:06Z TLS handshake with 192.168.122.17:4460 (server1)
failed : Error in the certificate verification. The certificate is NOT
trusted. The certificate issuer is unknown.
这是预期的,因为我使用的是自签名证书。为了解决这个问题,我们可以将该证书安装为受信任的证书。在我的系统(Fedora,应该与您的 CentOS 系统匹配)上,这意味着将其安装到/etc/pki/ca-trust/source/anchors然后运行update-ca-trust:
client# cat > /etc/pki/ca-trust/source/anchors/server1.crt
<paste certificate here>
^D
client# update-ca-trust
现在,当我运行时,chronyd -d我没有看到任何错误。此外,客户端成功连接到服务器:
2022-08-08T01:03:36Z Selected source 192.168.122.17 (server1)
以及正在运行的chronyc -N authdata节目:
client# chronyc -N authdata
Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen
=========================================================================
server1 NTS 1 15 256 45 0 0 8 100