fix: provide NTS sync with bad initial clock state

In the initial bootstrap, if the clock (RTC) is badly out of sync, NTS
can't verify server certificate timestamp properly, so provide a
fallback path that is only activated in the initial boot sequence to
ignore certificate timestamp until the time is in sync at least once.

Also add a test with `--bad-rtc` option we had previously to verify this
flow.

The controller will log a warning if certificate timestamp was ignored
in the initial bootstrap sync.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED BY KRES, PLEASE DO NOT EDIT.
 #
-# Generated on 2026-05-29T09:06:16Z by kres e1a258d.
+# Generated on 2026-06-03T12:12:42Z by kres d4e4c90.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -3537,6 +3537,9 @@ jobs:
           - test: e2e-k8s-user-namespace
             variant: default
             withConfigPatch: '@hack/test/patches/usernamespace.yaml'
+          - test: e2e-bad-rtc
+            variant: default
+            withBadRtc: "true"
           - extraTestArgs: -talos.enforcing
             tagSuffixIn: -enforcing
             test: e2e-siderolink
@@ -3564,6 +3567,12 @@ jobs:
             variant: enforcing
             withConfigPatch: '@hack/test/patches/usernamespace.yaml'
             withEnforcing: "true"
+          - extraTestArgs: -talos.enforcing
+            tagSuffixIn: -enforcing
+            test: e2e-bad-rtc
+            variant: enforcing
+            withBadRtc: "true"
+            withEnforcing: "true"
       fail-fast: false
       max-parallel: 2
     needs:
@@ -3627,6 +3636,7 @@ jobs:
           TAG_SUFFIX_IN: ${{ matrix.tagSuffixIn }}
           VIA_MAINTENANCE_MODE: ${{ matrix.viaMaintenanceMode }}
           WITH_APPARMOR_LSM_ENABLED: ${{ matrix.withAppArmorLsmEnabled }}
+          WITH_BAD_RTC: ${{ matrix.withBadRtc }}
           WITH_CONFIG_PATCH: ${{ matrix.withConfigPatch }}
           WITH_ENFORCING: ${{ matrix.withEnforcing }}
           WITH_SIDEROLINK_AGENT: ${{ matrix.withSiderolinkAgent }}

.github/workflows/integration-misc-4-triggered.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED BY KRES, PLEASE DO NOT EDIT.
 #
-# Generated on 2026-05-29T09:06:16Z by kres e1a258d.
+# Generated on 2026-06-03T12:12:42Z by kres d4e4c90.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -41,6 +41,9 @@ jobs:
           - test: e2e-k8s-user-namespace
             variant: default
             withConfigPatch: '@hack/test/patches/usernamespace.yaml'
+          - test: e2e-bad-rtc
+            variant: default
+            withBadRtc: "true"
           - extraTestArgs: -talos.enforcing
             tagSuffixIn: -enforcing
             test: e2e-siderolink
@@ -68,6 +71,12 @@ jobs:
             variant: enforcing
             withConfigPatch: '@hack/test/patches/usernamespace.yaml'
             withEnforcing: "true"
+          - extraTestArgs: -talos.enforcing
+            tagSuffixIn: -enforcing
+            test: e2e-bad-rtc
+            variant: enforcing
+            withBadRtc: "true"
+            withEnforcing: "true"
       fail-fast: false
       max-parallel: 2
     steps:
@@ -130,6 +139,7 @@ jobs:
           TAG_SUFFIX_IN: ${{ matrix.tagSuffixIn }}
           VIA_MAINTENANCE_MODE: ${{ matrix.viaMaintenanceMode }}
           WITH_APPARMOR_LSM_ENABLED: ${{ matrix.withAppArmorLsmEnabled }}
+          WITH_BAD_RTC: ${{ matrix.withBadRtc }}
           WITH_CONFIG_PATCH: ${{ matrix.withConfigPatch }}
           WITH_ENFORCING: ${{ matrix.withEnforcing }}
           WITH_SIDEROLINK_AGENT: ${{ matrix.withSiderolinkAgent }}

.kres.yaml

@@ -1250,6 +1250,9 @@ spec:
           - variant: default
             test: e2e-k8s-user-namespace
             withConfigPatch: "@hack/test/patches/usernamespace.yaml"
+          - variant: default
+            test: e2e-bad-rtc
+            withBadRtc: "true"
           - variant: enforcing
             test: e2e-siderolink
             triggerLabels: [integration/misc-4-enforcing]
@@ -1281,6 +1284,13 @@ spec:
             withEnforcing: "true"
             extraTestArgs: -talos.enforcing
             withConfigPatch: "@hack/test/patches/usernamespace.yaml"
+          - variant: enforcing
+            test: e2e-bad-rtc
+            triggerLabels: [integration/misc-4-enforcing]
+            tagSuffixIn: -enforcing
+            withEnforcing: "true"
+            extraTestArgs: -talos.enforcing
+            withBadRtc: "true"
       steps:
         - name: download-artifacts
           artifactStep:
@@ -1299,6 +1309,7 @@ spec:
             WITH_APPARMOR_LSM_ENABLED: ${{ matrix.withAppArmorLsmEnabled }}
             WITH_CONFIG_PATCH: ${{ matrix.withConfigPatch }}
             TAG_SUFFIX_IN: ${{ matrix.tagSuffixIn }}
+            WITH_BAD_RTC: ${{ matrix.withBadRtc }}
             EXTRA_TEST_ARGS: ${{ matrix.extraTestArgs }}
             WITH_ENFORCING: ${{ matrix.withEnforcing }}
             IMAGE_REGISTRY: registry.dev.siderolabs.io

hack/test/e2e-qemu.sh

@@ -35,6 +35,12 @@ case "${WITH_UEFI:-none}" in
     ;;
 esac
 
+case "${WITH_BAD_RTC:-none}" in
+  true)
+    QEMU_FLAGS+=("--bad-rtc")
+    ;;
+esac
+
 case "${WITH_VIRTUAL_IP:-false}" in
   true)
     QEMU_FLAGS+=("--use-vip")

internal/pkg/ntp/consts.go

@@ -22,4 +22,14 @@ const (
 	EpochLimit = 15 * time.Minute
 	// ExpectedAccuracy is the expected time sync accuracy, used to adjust poll interval.
 	ExpectedAccuracy = 200 * time.Millisecond
+	// NTSBootstrapAttempts is the number of initial NTS session establishment attempts
+	// during which a TLS certificate validity-period (time) failure is tolerated by
+	// falling back to a verifier which validates the chain and hostname but ignores
+	// the certificate notBefore/notAfter.
+	//
+	// This works around the boot-time chicken-and-egg problem: NTS key exchange runs
+	// over TLS, but the system clock used to validate the certificate may not be set
+	// yet. After this many attempts (or once time has been synced), certificate
+	// validation is always strict.
+	NTSBootstrapAttempts = 5
 )

internal/pkg/ntp/interfaces.go

@@ -33,4 +33,8 @@ type NTSSession interface {
 
 // NTSNewSessionFunc creates an NTS session for a given server address.
 // Defaults to nts.NewSession wrapper; injectable for testing.
-type NTSNewSessionFunc func(address string) (NTSSession, error)
+//
+// When skipCertTimeCheck is true, the implementation should validate the TLS
+// certificate chain and hostname but ignore the certificate validity period.
+// This is used to bootstrap NTS before the system clock has been set.
+type NTSNewSessionFunc func(address string, skipCertTimeCheck bool) (NTSSession, error)

internal/pkg/ntp/ntp.go

@@ -8,6 +8,8 @@ package ntp
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
+	"errors"
 	"fmt"
 	"math/bits"
 	"net"
@@ -58,6 +60,13 @@ type Syncer struct {
 	// NTS (Network Time Security) support
 	UseNTS        bool
 	NTSNewSession NTSNewSessionFunc
+
+	// NTSBootstrapAttempts is the number of initial NTS session establishment
+	// attempts during which a TLS certificate validity-period failure is tolerated
+	// by retrying with a verifier that ignores certificate time constraints.
+	NTSBootstrapAttempts int
+
+	ntsBootstrapUsed int
 }
 
 // Measurement is a struct containing correction data based on a time request.
@@ -92,6 +101,8 @@ func NewSyncer(logger *zap.Logger, timeServers []string, useNTS bool) *Syncer {
 
 		UseNTS:        useNTS,
 		NTSNewSession: DefaultNTSNewSession,
+
+		NTSBootstrapAttempts: NTSBootstrapAttempts,
 	}
 
 	return syncer
@@ -521,7 +532,7 @@ func (syncer *Syncer) getNTSSession(server string) (NTSSession, error) {
 		return nil, fmt.Errorf("NTS session factory not configured")
 	}
 
-	session, err := syncer.NTSNewSession(server)
+	session, err := syncer.newNTSSession(server)
 	if err != nil {
 		return nil, err
 	}
@@ -536,6 +547,51 @@ func (syncer *Syncer) getNTSSession(server string) (NTSSession, error) {
 	return session, nil
 }
 
+// newNTSSession establishes an NTS session, applying the boot-time bootstrap
+// workaround for the TLS certificate time check.
+//
+// It first attempts strict validation. If that fails with a certificate
+// validity-period error and the bootstrap budget is not yet exhausted (and time
+// has not been synced yet), it retries with the certificate time check disabled
+// while still validating the chain and hostname. After NTSBootstrapAttempts such
+// retries, or once time is synced, validation is always strict.
+func (syncer *Syncer) newNTSSession(server string) (NTSSession, error) {
+	session, err := syncer.NTSNewSession(server, false)
+	if err == nil {
+		return session, nil
+	}
+
+	if syncer.timeSyncNotified || syncer.ntsBootstrapUsed >= syncer.NTSBootstrapAttempts || !isCertTimeError(err) {
+		return nil, err
+	}
+
+	syncer.ntsBootstrapUsed++
+
+	syncer.logger.Warn(
+		"NTS certificate time validation failed, retrying while ignoring certificate time constraints (system clock may not be set yet)",
+		zap.String("server", server),
+		zap.Int("bootstrap_attempts_used", syncer.ntsBootstrapUsed),
+		zap.Int("bootstrap_attempts_limit", syncer.NTSBootstrapAttempts),
+		zap.Error(err),
+	)
+
+	return syncer.NTSNewSession(server, true)
+}
+
+// isCertTimeError reports whether err is a TLS certificate validation failure
+// caused by the certificate validity period (expired or not yet valid).
+//
+// Other certificate failures (unknown authority, hostname mismatch, etc.) are
+// deliberately excluded: those are genuine trust failures which must not be
+// bypassed even during bootstrap.
+func isCertTimeError(err error) bool {
+	if certErr, ok := errors.AsType[x509.CertificateInvalidError](err); ok {
+		return certErr.Reason == x509.Expired
+	}
+
+	return false
+}
+
 // log2i returns 0 for v == 0 and v == 1.
 func log2i(v uint64) int {
 	if v == 0 {