The chrony NTS daemon has no way to automatically reload its NTS certificate. A quick hack fixes this.
(This is part 5 in the NTS series. Did you already read part 1?)
In my setup, chrony inherits the certificate from a web server, which displays information and status. The web server manages certificates automatically using Let’s Encrypt and has no way of restarting chrony on certificate updates.
Restarting chronyd is also (currently) the only way to have it reload its NTS certificate. (Other key material can be reloaded without restarting the daemon, but not certificates or private keys.)
#!/bin/sh
find /etc/chrony/keys/ \
-name signed.crt \
-newer /run/chrony/chronyd.pid \
-exec systemctl restart chrony \;What does it do?
- It checks whether in the directory
/etc/chrony/keys/there is a filesigned.crt(actually,findwill search anywhere below the directory). That is the certificate file signed by the Let’s Encrypt CA. - If that file is newer than
/run/chrony/chrony.pid(the file containing the daemon’s process ID, written atchronydstarting time), it restarts the daemon (systemctl restart chrony). - Therefore, the restart action will take place whenever the certificate has been updated after the last launch of the daemon.
Depending on your system, you will have change the paths, file names and command.
You should save this as an executable file (chmod 755) in /etc/cron.daily/, e.g., as chrony-reread-certificate.
