Closed yushoyamaguchi closed 1 year ago
The first error comes from the HTTP library we are using – reqwest.
If you are not using a “proper” certificate (e.g., one generated by Let’s Encrypt), you need to add the issuer to Routinator via the rrdp-root-cert
option. If that is still rejected, you can create a certificate works using these instructions: https://github.com/partim/random-sysadmin-docs/blob/main/generate-self-signed-certificate.md
Thank you very much.
I'll try rrdp-root-cert
option because I'm using self signed certificate.
@partim Sorry, how can I confirm to succeed to communicate with krill server via rrdp?
If you increase the log level to debug with -vv
, Routinator reports the servers it talks to and what files it processes from them. Alternatively, if you run it in server mode and enable the HTTP endpoint, the /status
path shows all the repositories it collected data from. E.g., https://routinator.do.nlnetlabs.nl/status
@partim
I'm sorry for repeating questions.
If it is possible, please tell me about code for processing when rrdp-root-cert
options are given.
I would like to investigate an issue that it appears that the extra TA specified in the extra-tals-dir
of the config file are no longer being verified, when I run with rrdp-root-cert
option.
The code that processes the lost of added root certificates starts here: https://github.com/NLnetLabs/routinator/blob/main/src/collector/rrdp.rs#L1330 – ultimately, the certificate is given to the reqwest HTTP library which does all the actual work.
The only reason I could think of why adding your own certificate should break access to an RRDP server is if your certificate is broken. There should be a log message about this, though?
Thank you for your advice.
That is the difference between using --rrdp-root-cert
option and not using it.
Not using Being said that UnknownIssuer about certificate.
Using It seems that the process is in progress, but the verification has not been completed.
By the way, I specify a certificate in the way like this pic using --rrdp-root-cert
option .
Is this the correct type of certificate to specify in --rrdp-root-cert
option?
(ssl_certificate is that specified in nginx config file.)
The rrdp-root-cert
option is working as expected – Routinator updates successfully in the second example (“snapshot update completed”). The reason you have two ROAs in the first example is that Routinator falls back to fetching via rsync. Looks like there is a discrepancy between the data published via rsync and RRDP.
As you said, configure of rrdp repository in krill was not correct. Thank you very much for your amazing support.
This issue is a question, not a suggestion of a problem with the source code. Sorry. I am using the testbed functionality of krill and running krill and routinator in a docker container with it as the root certificate authority.
Configuring krill https://github.com/yushoyamaguchi/rpki_container/blob/main/my_krill1/krill_start7.sh Configuration of routinator https://github.com/yushoyamaguchi/rpki_container/blob/main/my_routinator1/routinator_start1.sh
The communication between krill and routinator is successful, but in the container on the routinator side I get
When the above code was executed, the following error was printed.
For the first error, the error message(UnknownIssuer) was not included in the routinator source code. Where are these error messages being output from?
I am using a certificate which is generated by krill testbed. ref:https://blog.apnic.net/2022/05/27/making-a-krill-sandbox/