📖 ~1 min read
Table of contents
Symptom & Impact
Cluster nodes show clock skew of several seconds, breaking Kerberos and TLS validation.
Environment & Reproduction
Affects CentOS Stream 10 hosts behind firewalls that block outbound NTP.
Root Cause Analysis
Default NTP sources unreachable and chronyd falls back to local clock.
Quick Triage
Check sync state with `chronyc tracking` and reachability with `chronyc sources -v`.
Step-by-Step Diagnosis
Identify which configured NTP sources are unreachable.
Solution – Primary Fix
Configure internal NTP sources in /etc/chrony.conf and restart chronyd.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Use ptp4l with hardware timestamping if sub-millisecond precision is required.
Verification & Acceptance Criteria
`chronyc tracking` reports `Leap status: Normal` and skew under 50ms.
Rollback Plan
Restore prior chrony.conf to revert to public NTP if internal sources become unreliable.
Prevention & Hardening
Open UDP/123 outbound in firewall policy for at least three NTP sources.
Related Errors & Cross-Refs
Related to Kerberos auth failures and TLS clock-skew rejections.
Related tutorial: View the step-by-step tutorial for centos-stream-10.
View all centos-stream-10 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
chrony manual for CentOS Stream 10.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
