chrony NTS daemon has no way to automatically reload its NTS certificate. A quick hack fixes this.
In my setup,
chrony inherits the certificate from a web server, which displays information and status. The web server manages certificates automatically using Let’s Encrypt and has no way of restarting
chrony on certificate updates.
chronyd is also (currently) the only way to have it reload its NTS certificate. (Other key material can be reloaded without restarting the daemon, but not certificates or private keys.)
#!/bin/sh find /etc/chrony/keys/ \ -name signed.crt \ -newer /run/chrony/chronyd.pid \ -exec systemctl restart chrony \;
What does it do?
- It checks whether in the directory
/etc/chrony/keys/there is a file
findwill search anywhere below the directory). That is the certificate file signed by the Let’s Encrypt CA.
- If that file is newer than
/run/chrony/chrony.pid(the file containing the daemon’s process ID, written at
chronydstarting time), it restarts the daemon (
systemctl restart chrony).
- Therefore, the restart action will take place whenever the certificate has been updated after the last launch of the daemon.
Depending on your system, you will have change the paths, file names and command.
You should save this as an executable file (
chmod 755) in
/etc/cron.daily/, e.g., as