[RPKI] Certificate has Expired
Christopher Munz-Michielin
christopher at ve7alb.ca
Sat Dec 16 16:30:17 UTC 2023
Hello Tim,
Thanks so much for getting back to me.
> Otherwise, can you try restarting?
I actually did restart krill last night (have you tried turning it off
and on again hihi), I guess I just didn't wait long enough, because this
morning my routes seem to be RPKI-Valid when I run through a couple of
different validators. I'll keep the krillc bulk publish command in mind
for future.
> If you want to test the data upgrade from 0.10.3 to 0.14.4, you can
make a copy of your data dir, and run `krillup`
Thanks for the suggestion! I've been bitten by upgrades a couple of
times in the past, hence my hesitation. This is a great tip.
Cheers,
Chris
On 12/16/23 03:31, Tim Bruijnzeels wrote:
> Hi Chris,
>
>> On 16 Dec 2023, at 05:33, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>>
>> Hello all,
>>
>> Hoping someone can help me shed some light on an issue I'm having with Krill and delegated RPKI with ARIN.
>>
>> Some background - I run a small ISP with a couple of v4 and a single v6 prefix. We have been running delegated RPKI with Krill for a couple of years now without issue. Current version of Krill is 0.10.3 (I know it's a bit out of date, haven't gotten around to testing upgrades yet).
> Can you try:
>
> krillc bulk publish
>
> I am not sure, but I think that it may have been possible in 0.10.x that the background job scheduler lost the republish job, and replanning it is done when that is done - so it would not happen. Otherwise, can you try restarting?
>
> BTW If you want to test the data upgrade from 0.10.3 to 0.14.4, you can make a copy of your data dir, and run `krillup` using a configuration file with an "admin_token" (not used, but required, can be anything in this case) and a "data_dir = /path/to/your/copy".
>
>> Recently, I noticed that my prefixes stopped being identified as RPKI-Valid, and while looking into this, I discovered Routinator is complaining that the 'certificate has expired.' Now the odd thing is that my handshakes with ARIN are up to date (last one was about 10 minutes ago), and the files in the local repository are constantly being updated. On the routinator VM I have the following logs:
>>
>> Dec 15 19:38:01 ca-vic-cu-bgp01 routinator[43871]: [WARN] rsync://rpki.tools.westconnect.ca/repo/WestConnect-Pub/0/86A99076610E7C08AEDDCE8767AA5DC4528C4908.mft: certificate has expired.
>> Dec 15 19:38:01 ca-vic-cu-bgp01 routinator[43871]: [WARN] rsync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/1146938c-c605-4779-bf60-820a16fa701c/8f6916d463bfc5c35e4659c12889a337f3cc6f6b7fe978372b.cer: no valid manifest rsync://rpki.tools.westconnect.ca/repo/WestConnect-Pub/0/86A99076610E7C08AEDDCE8767AA5DC4528C4908.mft found.
>>
>> I'm at a bit of a loss here; if anyone can point me in the direction of what certificate has expired, and how I might go about renewing it, I would be most grateful.
> I can't tell from here, but another issue that could have happened is that the content of your rsync module is not updated.
>
> But, rather than trying to fix your local publication server and repository setup (with rsync and HTTPS for RRDP), it may be better to migrate to the publication server provided by ARIN. The Krill side of this procedure is documented here:
>
> https://krill.docs.nlnetlabs.nl/en/stable/ca-migrate-repo.html
>
> (this is the documentation for 'stable' rather than 'v0.10.3' but this process has not changed)
>
> Cheers
> Tim
>
>> Cheers,
>> Chris
>>
>> --
>> RPKI mailing list
>> RPKI at lists.nlnetlabs.nl
>> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
More information about the RPKI
mailing list