chrony NTS certificate reload

Chrony restart teaser

The chrony NTS daemon has no way to automatically reload its NTS certificate. A quick hack fixes this.

(This is part 5 in the NTS series. Did you already read part 1?)

In my setup, chrony inherits the certificate from a web server, which displays information and status. The web server manages certificates automatically using Let’s Encrypt and has no way of restarting chrony on certificate updates.

Restarting chronyd is also (currently) the only way to have it reload its NTS certificate. (Other key material can be reloaded without restarting the daemon, but not certificates or private keys.)

find /etc/chrony/keys/ \
  -name signed.crt \
  -newer /run/chrony/ \
  -exec systemctl restart chrony \;

What does it do?

Depending on your system, you will have change the paths, file names and command.

You should save this as an executable file (chmod 755) in /etc/cron.daily/, e.g., as chrony-reread-certificate.


Let’s stay in touch!

Receive a mail whenever I publish a new post.

About 1-2 Mails per month, no Spam.

Follow me on the Fediverse

Web apps

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.