# error in periodic output, fetching leap-seconds.list



## pez (Dec 5, 2018)

I've recently started getting an error in my periodic output email. 

```
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
34374371912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error
```

I have ca_root_nss installed. I can reproduce the problem by doing `service ntpd onefetch`.
This is FreeBSD 11.2-RELEASE, my other vm's and physical servers which are the same version do not have the same problem, but this one was installed with 11.2-RELEASE while the others have all been upgraded from earlier versions.

It's not critical, I don't even have ntpd(8) enabled in rc.conf.

Any suggestions would be appreciated.
regards
andrew


----------



## ShelLuser (Dec 5, 2018)

I cannot reproduce any errors so this seems like a localized problem at first. _However..._ What is the output of `grep server /etc/ntp.conf`?


----------



## pez (Dec 5, 2018)

ok thanks, here's the output, only comments

regards
andrew

# Default NTP servers for the FreeBSD operating system.
# Set the target and limit for adding servers configured via pool statements
# Ntpd automatically adds maxclock-1 servers from configured pools, and may
# servers are providing good consistant time.
# The following pool statement will give you a random set of NTP servers
# servers from the pool, according to the tos minclock/maxclock targets.
# users with a static IP and good upstream NTP servers to add a server
# If you want to pick yourself which country's public NTP server
# To configure a specific server, such as an organization-wide local
# server, add lines similar to the following.  One or more specific
# servers can be configured in addition to, or instead of, any server
# the specific servers, then adds servers from the pool until the tos
#server time.my-internal.org iburst
# In this case, all remote NTP time servers also need to be explicitly
# this server.
# Please note that this example doesn't work for the servers in
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# be configured on just one server on a network. For more details see
#server 127.127.1.0


----------



## Datapanic (Dec 5, 2018)

the default /etc/ntp.conf does not use the `server` definition, that's going to be commented out.  It uses the pool instead, the default being `pool 0.freebsd.pool.ntp.org iburst`


----------



## pez (Dec 5, 2018)

pool 0.freebsd.pool.ntp.org iburst


----------



## pboehmer (Dec 6, 2018)

Try installing security/ca_root_nss.


----------



## pez (Dec 6, 2018)

yeah already have done that. that's my problem, that is installed and i still have the error


----------



## pboehmer (Dec 7, 2018)

Something I should have added to my previous post was if security/ca_root_nss was up-to-date?


----------



## pez (Dec 7, 2018)

yeah i updated it to ca_root_nss-3.40.1


----------

