Hello, A few weeks ago I had Chrony, installed from base, working without any problem. Since a few days, it doesn't even start, and the problem may comes from NSS enabled by default (cf. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217691 ). At boot time, in /var/log/messages I have this error: "(chronyd), uid 849: exited on signal 6" Here are some commands causing problems: # chronyd -d 2017-11-24T12:06:37Z chronyd version 3.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG) Assertion failed: (MD5_hash >= 0), function UTI_IPToRefid, file util.c, line 373. Abandon # chronyc keygen 73 SHA1 256 Unknown hash function SHA1 # chronyc keygen 73 MD5 256 Unknown hash function MD5 Now, I have just compiled Chrony without NSS and it starts and works fine. I just can't use the hash functions but I don't need them. Best Regards, Olivier
@John Hein Do you know what might be causing this issue for Olivier?
Looks like the same errors: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217615 But in my case, I need IPv6 and no crypto. Maybe there is a strange incompatibility between the two. I'll try to rebuild the other way: enabling NSS and disabling IPv6 for testing.
Just tested with NSS and without IPv6, the chrony daemon does start and works. But the commands mentionned in my first post still doesn't work: "# chronyc keygen 73 SHA1 256 Unknown hash function SHA1" Maybe some dependencies are missing for NSS to work properly?
Well, I don't know why "chronyc keygen 73 SHA1 256" doesn't work, but for now I'd like chronyd to work and I may have found something. The error comes from: https://github.com/mlichvar/chrony/blob/c9f50fc686d93b982cb0ef72b9e140114fccf53b/util.c#L372 MD5_hash = HSH_GetHashId("MD5"); assert(MD5_hash >= 0); And I found in NSS 3.14 release note: "Support for certificate signatures using the MD5 hash algorithm is now disabled by default.": https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes I'll search how to enable MD5 in NSS and see if that solves the problem. I'll report back later.
I've added "NSS_HASH_ALG_SUPPORT=+MD5" in NSS' Makefile (with the others variables in "MAKE_ENV="), but it didn't solve the problem :-( I don't know what to search. I'll go back to disable NSS as I don't need it.
I am having the same issue but when using time.google.com as the servers: 2018-05-06T11:51:41Z chronyd version 3.1 starting (+CMDMON +NTP +REFCLOCK -RTC +PRIVDROP -SCFILTER +SECHASH -SIGND +ASYNCDNS +IPV6 -DEBUG) 2018-05-06T11:51:41Z Frequency 0.090 +/- 0.037 ppm read from /var/db/chrony/drift Assertion failed: (MD5_hash >= 0), function UTI_IPToRefid, file util.c, line 373. Abort with this conf: server time.google.com user chronyd driftfile /var/db/chrony/drift dumponexit dumpdir /var/db/chrony pidfile /var/run/chronyd.pid stratumweight 0 makestep 1.0 3 logchange 0.5 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 allow
disabling IPV6 or NSS helps to start chronyd, but having both is not posible
A commit references this bug: Author: tobik Date: Wed May 9 03:01:59 UTC 2018 New revision: 469426 URL: https://svnweb.freebsd.org/changeset/ports/469426 Log: net/chrony: Update to 3.3 - Add explicit DOCS, EXAMPLES options - Replace %%PREFIX%% in sample files - Make sure chronyc is really linked with libedit from ports - Add support for security/nettle and use it by default since chrony crashes on startup when built with NSS. [1] PR: 227779, 223840 [1] Submitted by: takefu@airport.fm Approved by: maintainer Changes: head/net/chrony/Makefile head/net/chrony/distinfo
A commit references this bug: Author: mandree Date: Sun Apr 5 21:20:12 UTC 2020 New revision: 530840 URL: https://svnweb.freebsd.org/changeset/ports/530840 Log: net/chrony: make NETTLE build robust, improve rc script, re-enable NSS Changes by Colin T.: * Always require pkgconfig instead of only requiring it for NSS, because otherwise chrony does not link reliably to nettle. [1] * Add pidfile to rc.d script to stop it from complaining when stopping chronyd. [1] * Document chronyd_* options in rc.d script. [1] Changes by Matthias Andree: * Move USES line up to please portlint. * Add HTMLDOCS option, to build and install HTML docs. IMPLIES DOCS. Needs textproc/asciidoctor (rubygem) as build requisite. * Turn CRYPTLIB into a _RADIO to choose at most one from NSS + NETTLE. * Under WITH_DEBUG, add --enable-debug to CONFIGURE_ARGS. * Remove @ (silent) from Makefile commands. * Remove NSS_BROKEN, chrony 3.5 appears to work with NSS. Updates [3]. PR: 244534 [1] PR: 242510 [2] PR: 223840 [3] Submitted by: Colin T. <bugzilla@nulldir.e4ward.com> [1] Reported by: Matt Smith <freebsd@xtaz.uk> [2] Approved by: maintainer timeout (yonas@fizk.net, 36 days) Changes: head/net/chrony/Makefile head/net/chrony/files/chronyd.in head/net/chrony/pkg-plist