Summary: | rc.d/ntpd: Cannot fetch leap-seconds file if security/ca_root_nss package not installed | ||
---|---|---|---|
Product: | Base System | Reporter: | Vick Khera <vivek> |
Component: | bin | Assignee: | freebsd-rc (Nobody) <rc> |
Status: | Closed FIXED | ||
Severity: | Affects Many People | CC: | dclarke, freebsd, imp, jasonmader, kevans, meta, pi |
Priority: | --- | Keywords: | needs-qa |
Version: | 10.3-RELEASE | Flags: | koobs:
maintainer-feedback?
(kevans) koobs: mfc-stable13? koobs: mfc-stable12? |
Hardware: | amd64 | ||
OS: | Any | ||
See Also: |
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230017 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228621 |
Description
Vick Khera
2016-10-13 12:58:00 UTC
I suspect the workaround here is to add --no-verify-peer to ntp_leapfile_fetch_opts in the /etc/defaults/rc.conf file, but that seems wrong and is just asking for a hack to happen. I believe this problem may be related to the following commit, but unsure; gut feeling says very likely: http://www.freshbsd.org/commit/freebsd/r325256 (In reply to Jeremy Chadwick from comment #2) Ignore, wrong tab. Comment was intended for unrelated Bug 224126. I opened Bug 230017 before I saw this. FreeBSD 11.2 was released with an outdated leap-seconds file. *** Bug 230017 has been marked as a duplicate of this bug. *** I don't think adding --no-verify-peer is the right way. As cem say in bug 213448, ca_root_nss should be in base. Just an idea, is it possible to distribute new leap-seconds file to replace expired file via freebsd-update? (In reply to Koichiro Iwao from comment #8) AFAIK, it's possible yes. freebsd-update works in a way that it builds world and kernel 2 times and compares which files/libs changed since the first time it built the source; so one 'touch' command hitting the leap-seconds file can make it to be part of the list of files pushed to freebsd-update. like, freebsd-update build the untouched source of releng/12.1 and after its done the patches are applied and freebsd-update compiles the code again. after it's all done, the comparing phase starts and it indexes what will be part of the next "-pX" release. @Kyle Has the situation changed since CA stuff in base? *** Bug 275799 has been marked as a duplicate of this bug. *** *** Bug 262391 has been marked as a duplicate of this bug. *** The duplicate bug I filed is not *really* a duplicate but close enough for anyone to care about the fact that the leap seconds data file can not easily be found. Certainly the information in the default ntp.conf file is wrong. Seems the place to go to get an up to date leap seconds file is : https://data.iana.org/time-zones/data/leap-seconds.list The two canonical places to get an up to date leap are: https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list and NIST's ftp server, which they are phasing out. The IETF one is laggy and we should use the above link. https://reviews.freebsd.org/D43752 (In reply to Warner Losh from comment #14) Nice to see this is a done deal : https://cgit.freebsd.org/src/commit/?id=11da791920ba285f0832f09cb504ac81e35ff8d1 Merged to 13.3 and maybe will be a EN too... |