Secure NTP with NTS

Chrony supports nts since version 4.0. I tried to build nts server and client.

server configuration

example of chrony 4.2 on ubuntu 22.04 LTS

server time.facebook.com iburst maxpoll 11
server time.google.com   iburst maxpoll 11
server time.apple.com    iburst maxpoll 11

ntsserverkey /etc/chrony/key.pem
ntsservercert /etc/chrony/crt.pem

key.pem and crt.pem are openssl private key and certificate(with intermediate ca certificate) file pair. The certificate needs to include your fqdn of your nts server.

When I put key and crt files in a sub directory of /etc/ssl, below error occured.

Could not set credentials : Error while reading file.

In /var/log/syslog, I found audit log of apparmor which shows it denied for chronyd to open the key file. When I put them in /etc/chrony, I successed to run it.

Before test from client, you have to open not only 123/udp for NTP but also 4460/tcp for NTS-KE.

$ chronyd -Q -t 8 'server mynts.example.com iburst nts'
$ sudo chronyc serverstats

client configuration

example of chrony 4.0 on Debian 11

server mynts.example.com iburst nts
server ptbtime1.ptb.de   iburst nts
server nts.time.nl       iburst nts
server nts.ntp.se        iburst nts

ntstrustedcerts /etc/chrony/cacert.crt

When you use selfsigned CA to make your certificate in the nts server, you have to show your own ca certificate file to chrony.conf in ntstrustedcerts.