[RPKI] Certificate has Expired
Tim Bruijnzeels
tim at nlnetlabs.nl
Sat Dec 16 11:31:01 UTC 2023
Hi Chris,
> On 16 Dec 2023, at 05:33, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>
> Hello all,
>
> Hoping someone can help me shed some light on an issue I'm having with Krill and delegated RPKI with ARIN.
>
> Some background - I run a small ISP with a couple of v4 and a single v6 prefix. We have been running delegated RPKI with Krill for a couple of years now without issue. Current version of Krill is 0.10.3 (I know it's a bit out of date, haven't gotten around to testing upgrades yet).
Can you try:
krillc bulk publish
I am not sure, but I think that it may have been possible in 0.10.x that the background job scheduler lost the republish job, and replanning it is done when that is done - so it would not happen. Otherwise, can you try restarting?
BTW If you want to test the data upgrade from 0.10.3 to 0.14.4, you can make a copy of your data dir, and run `krillup` using a configuration file with an "admin_token" (not used, but required, can be anything in this case) and a "data_dir = /path/to/your/copy".
> Recently, I noticed that my prefixes stopped being identified as RPKI-Valid, and while looking into this, I discovered Routinator is complaining that the 'certificate has expired.' Now the odd thing is that my handshakes with ARIN are up to date (last one was about 10 minutes ago), and the files in the local repository are constantly being updated. On the routinator VM I have the following logs:
>
> Dec 15 19:38:01 ca-vic-cu-bgp01 routinator[43871]: [WARN] rsync://rpki.tools.westconnect.ca/repo/WestConnect-Pub/0/86A99076610E7C08AEDDCE8767AA5DC4528C4908.mft: certificate has expired.
> Dec 15 19:38:01 ca-vic-cu-bgp01 routinator[43871]: [WARN] rsync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/1146938c-c605-4779-bf60-820a16fa701c/8f6916d463bfc5c35e4659c12889a337f3cc6f6b7fe978372b.cer: no valid manifest rsync://rpki.tools.westconnect.ca/repo/WestConnect-Pub/0/86A99076610E7C08AEDDCE8767AA5DC4528C4908.mft found.
>
> I'm at a bit of a loss here; if anyone can point me in the direction of what certificate has expired, and how I might go about renewing it, I would be most grateful.
I can't tell from here, but another issue that could have happened is that the content of your rsync module is not updated.
But, rather than trying to fix your local publication server and repository setup (with rsync and HTTPS for RRDP), it may be better to migrate to the publication server provided by ARIN. The Krill side of this procedure is documented here:
https://krill.docs.nlnetlabs.nl/en/stable/ca-migrate-repo.html
(this is the documentation for 'stable' rather than 'v0.10.3' but this process has not changed)
Cheers
Tim
>
> Cheers,
> Chris
>
> --
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
More information about the RPKI
mailing list