Hi, On a newly installed 6.1 machine, which has its system date set to 15 September i.e. 30 days into the past, doing "ntpd -d -s -v" (to not deamonize, to make a time sync directly, and print out verbose output), I am told this:
/var/db/ntpd.drift is empty ntp engine ready constraint request to 2404:6800:4008:801::2004 constraint request to 172.217.25.100 tls constraint failed: 2404:6800:4008:801::2004 (www.google.com): coonect: No route to host no constraint reply rom 2404:6800:4008:801::2004 received in time, next query 900s tls write failed: 172.217.25.100 (www.google.com) certificate verification failed: certificate not yet valid no constraint reply from 172.217.25.100 received in time, next query 900s no reply received in time, skipping initial time setting In other words, LibreSSL will not connect to the remote NTP protocol server, because the TLS certificate was issued after 15 Sept (https://www.sslshopper.com/ssl-checker.html#hostname=www.google.com says it's valid from October 3, 2017 to December 26, 2017), and therefore fail the time sync - which leads to reliance that I will update the date manually first to make things work. An effective fix here is to simply remove the "constraints" line in /etc/ntpd.conf , this way ntpd makes no attempt to make any TLS connection (to https://www.google.com/ which is used as constraint in the default /etc/ntpd.conf) and instead just goes into time syncing work with pool.ntp.org . Maybe the best thing would be to make NTPD obligatorily or optionally, *not* dismiss a TLS certificate for the specific reason that its certificate not is valid. If more constraint servers would be added (right now there's only one, https://www.google.com) then certainty could be derived from there. Also, I am not super happy about NTPD connecting by default to www.google.com in particular. A random pool of 50-100 HTTPS servers that are known to generally be available out there, would be a better pick. Maybe best thing would be that I simply choose some myself and not use the default ntpd.conf . So to sum up, my best impression presently is that time validation should be disabled for TLS certificates within NTPD. Tinker