chrony: add useful details on bootstrap server cert by hector-cao · Pull Request #704 · canonical/ubuntu-server-documentation

hector-cao · 2026-05-20T10:03:31Z

We had a bug report related to the chrony NTS certificate:

https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2152270

I think it is useful to have some details about the certificate used for the bootstrap server.

Copilot

Pull request overview

This PR updates the chrony client how-to to add more detail about Ubuntu’s Network Time Security (NTS) defaults, with emphasis on how the ntp-bootstrap.ubuntu.com bootstrap server’s certificate trust is configured.

Changes:

Expands the NTS section to describe the default Ubuntu NTS pool configuration file and options (nts, prefer, certset).
Adds an explanation of the bootstrap server’s role for large clock offsets and how its certificate trust is configured via ntstrustedcerts.
Adds openssl examples and certificate excerpts to illustrate differences between public-CA-issued and privately trusted certificates.

Comments suppressed due to low confidence (1)

docs/how-to/networking/chrony-client.md:133

“issuer as ubuntu, which is not a Certificate Authority (CA)” is misleading: an issuer name doesn’t determine whether it’s a CA, and in this case it’s effectively a private CA (not publicly trusted) used to sign the bootstrap server certificate. Suggest rewording to avoid implying the certificate is invalid, and instead explain it’s not signed by a public CA like Let’s Encrypt.

shows the issuer as `ubuntu`, which is not a Certificate Authority (CA), compared with `Let's Encrypt`,
which is a CA.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

panlinux · 2026-05-21T20:22:37Z

While at it, could you also please fix the mention of a CA in the docs further down? It's in this "note":

:::{note}
  A new CA is installed in `/etc/chrony/nts-bootstrap-ubuntu.crt` that is
  used specifically for the Ubuntu NTS bootstrap server, needed for when the
  clock is too far off. This is added to certificate set ID "1", and defined
  via `/etc/chrony/conf.d/ubuntu-nts.conf`.
:::

I propose that should say:

:::{note}
 The certificate for ntp-bootstrap.ubuntu.com is installed in
 `/etc/chrony/nts-bootstrap-ubuntu.crt` and is used specifically for the
 Ubuntu NTS bootstrap server, needed ... (the rest remains as is)

hector-cao · 2026-05-22T10:41:27Z

While at it, could you also please fix the mention of a CA in the docs further down? It's in this "note":

:::{note}
  A new CA is installed in `/etc/chrony/nts-bootstrap-ubuntu.crt` that is
  used specifically for the Ubuntu NTS bootstrap server, needed for when the
  clock is too far off. This is added to certificate set ID "1", and defined
  via `/etc/chrony/conf.d/ubuntu-nts.conf`.
:::

I propose that should say:

:::{note}
 The certificate for ntp-bootstrap.ubuntu.com is installed in
 `/etc/chrony/nts-bootstrap-ubuntu.crt` and is used specifically for the
 Ubuntu NTS bootstrap server, needed ... (the rest remains as is)

updated; thanks

panlinux

+1

chrony: add useful details on bootstrap server cert

57a7645

hector-cao requested review from Copilot, panlinux and s-makin May 20, 2026 10:03

Copilot started reviewing on behalf of hector-cao May 20, 2026 10:04 View session

Copilot AI reviewed May 20, 2026

View reviewed changes

hector-cao and others added 5 commits May 20, 2026 13:55

Potential fix for pull request finding

c2a12b6

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Potential fix for pull request finding

808df1a

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

improve openssl command to retrieve the cert

887035c

remove cert data as it is not useful to be shown

e4f160e

Potential fix for pull request finding

397cfea

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

panlinux reviewed May 20, 2026

View reviewed changes