clock_skew

Summary

clock skew {0}s outside allowed window

Help

client and server clocks must agree within ±60s; sync NTP

Details

When this fires

The timestamp parsed fine, but the difference between client and server clocks was outside the verifier's allowed window (default 60 seconds, set in nanook-auth::signing::DEFAULT_SKEW). The error reports the signed offset in seconds: positive means the client's clock is ahead, negative means it is behind. Operators usually see this as nanook ctl failing right after a VM resume, a fresh container start, or a long-suspended laptop.

What to check

• Sync clocks: systemctl status systemd-timesyncd or chronyc tracking.
• For one host that genuinely needs a wider window, bump it via Verifier::with_skew, but keep it tight (a few minutes at most).