ntpd System Log Messages
Last update: March 23, 2023 21:05 UTC (6ad51a76f)
from Alice’s Adventures in Wonderland, Lewis Carroll
The log can be shrill at times.
Table of Contents
Introduction
You have come here because you found a cryptic message in the system log. This page by no means lists all messages that might be found, since new ones come and old ones go. Generally, however, the most common ones will be found here. They are listed by program module and log severity code in bold: LOG_ERR
, LOG_NOTICE
and LOG_INFO
.
Most of the time LOG_ERR
messages are fatal, but often ntpd
limps onward in the hopes of discovering more errors. The LOG_NOTICE
messages usually mean the time has changed or some other condition that probably should be noticed. The LOG_INFO
messages usually say something about the system operations, but do not affect the time.
In the following a ?
character stands for text in the message. The meaning should be clear from context.
Protocol Module
LOG_ERR
buffer overflow ?
- Fatal error. An input packet is too long for processing.
LOG_NOTICE
no reply; clock not set
- In
ntpdate
mode no servers have been found. The server(s) and/or network may be down. Standard debugging procedures apply.
LOG_INFO
proto_config: illegal item ?, value ?
- Program error. Bugs can be reported here.
receive: autokey requires two-way communication
- Configuration error on the
broadcastclient
command.
receive: server server maximum rate exceeded
- A kiss-o’death packet has been received. The transmit rate is automatically reduced.
pps sync enabled
- The PPS signal has been detected and enabled.
transmit: encryption key ? not found
- The encryption key is not defined or not trusted.
precision = ? usec
- This reports the precision measured for this machine.
using 10ms tick adjustments
- Gotcha for some machines with dirty rotten clock hardware.
no servers reachable
- The system clock is running on internal batteries. The server(s) and/or network may be down.
Clock Discipline Module
LOG_ERR
time correction of ? seconds exceeds sanity limit (?); set clock manually to the correct UTC time.
- Fatal error. Better do what it says, then restart the daemon. Be advised NTP and Unix know nothing about local time zones. The clock must be set to Coordinated Universal Time (UTC). Believe it; by international agreement abbreviations are in French and descriptions are in English.
sigaction() fails to save SIGSYS trap: ?
sigaction() fails to restore SIGSYS trap: ?
- Program error. Bugs can be reported here.
LOG_NOTICE
frequency error ? exceeds tolerance 500 PPM
- The hardware clock frequency error exceeds the rate the kernel can correct. This could be a hardware or a kernel problem.
time slew ? s
- The time error exceeds the step threshold and is being slewed to the correct time. You may have to wait a very long time.
time reset ? s
- The time error exceeds the step threshold and has been reset to the correct time. Computer scientists don’t like this, but they can set the
ntpd -x
option and wait forever.
kernel time sync disabled ?
- The kernel reports an error. See the codes in the
timex.h
file.
pps sync disabled
- The PPS signal has died, probably due to a dead radio, broken wire or loose connector.
LOG_INFO
kernel time sync status ?
- For information only. See the codes in the
timex.h
file.
Cryptographic Module
LOG_ERR
cert_parse ?
cert_sign ?
crypto_cert ?
crypto_encrypt ?
crypto_gq ?
crypto_iff ?
crypto_key ?
crypto_mv ?
crypto_setup ?
make_keys ?
- Usually fatal errors. These messages display error codes returned from the OpenSSL library. See the OpenSSL documentation for explanation.
crypto_setup: certificate ? is trusted, but not self signed.
crypto_setup: certificate ? not for this host
crypto_setup: certificate file ? not found or corrupt
crypto_setup: host key file ? not found or corrupt
crypto_setup: host key is not RSA key type
crypto_setup: random seed file ? not found
crypto_setup: random seed file not specified
- Fatal errors. These messages show problems during the initialization procedure.
LOG_INFO
cert_parse: expired ?
cert_parse: invalid issuer ?
cert_parse: invalid signature ?
cert_parse: invalid subject ?
There is a problem with a certificate. Operation cannot proceed until the problem is fixed. If the certificate is local, it can be regenerated using the ntp-keygen
program. If it is held somewhere else, it must be fixed by the holder.
crypto_?: defective key
crypto_?: invalid filestamp
crypto_?: missing challenge
crypto_?: scheme unavailable
- There is a problem with the identity scheme. Operation cannot proceed until the problem is fixed. Usually errors are due to misconfiguration or an orphan association. If the latter,
ntpd
will usually time out and recover by itself.
crypto_cert: wrong PEM type ?
- The certificate does not have MIME type
CERTIFICATE
. You are probably using the wrong type from OpenSSL or an external certificate authority.
crypto_ident: no compatible identity scheme found
- Configuration error. The server and client identity schemes are incompatible.
crypto_tai: kernel TAI update failed
- The kernel does not support this function. You may need a new kernel or patch.
crypto_tai: leapseconds file ? error ?
- The leapseconds file is corrupt. Obtain the latest file from NIST.