About time synchronisation

powersj · July 17, 2019, 9:49pm

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

paelzer · May 14, 2020, 9:41am

FYI - added more gpsd/pps use case details to help anyone else trying to set this up.

ahasenack · January 24, 2023, 1:00pm

powersj:

It is important to note that for isolation reasons chrony, by default, runs as user and group _chrony. Therefore you need to grant access to the certificates for that user, by running the following command:.
sudo chown _chrony:_chrony /etc/chrony/*.pem

From a security POV, it would be best to not give ownership of the cert files to the _chrony user, as that would allow it to write to those files as well (depending on permissions, but, being the owner, they can be changed). Usually the owner should be root, and the group should be _chrony, and the group would have read permissions. In other words, I would suggest (untested):

sudo chown root:_chrony /etc/chrony/*.pem
sudo chmod 0640 /etc/chrony/privkey.pem