Closed yushoyamaguchi closed 1 year ago
partim
commented
1 year ago The first error comes from the HTTP library we are using – reqwest.
If you are not using a “proper” certificate (e.g., one generated by Let’s Encrypt), you need to add the issuer to Routinator via the rrdp-root-cert option. If that is still rejected, you can create a certificate works using these instructions: https://github.com/partim/random-sysadmin-docs/blob/main/generate-self-signed-certificate.md
yushoyamaguchi
commented
1 year ago Thank you very much.
I'll try rrdp-root-cert option because I'm using self signed certificate.
yushoyamaguchi
commented
1 year ago @partim Sorry, how can I confirm to succeed to communicate with krill server via rrdp?
partim
commented
1 year ago If you increase the log level to debug with -vv, Routinator reports the servers it talks to and what files it processes from them. Alternatively, if you run it in server mode and enable the HTTP endpoint, the /status path shows all the repositories it collected data from. E.g., https://routinator.do.nlnetlabs.nl/status
yushoyamaguchi
commented
1 year ago @partim
I'm sorry for repeating questions.
If it is possible, please tell me about code for processing when rrdp-root-cert options are given.
I would like to investigate an issue that it appears that the extra TA specified in the extra-tals-dir of the config file are no longer being verified, when I run with rrdp-root-cert option.
partim
commented
1 year ago The code that processes the lost of added root certificates starts here: https://github.com/NLnetLabs/routinator/blob/main/src/collector/rrdp.rs#L1330 – ultimately, the certificate is given to the reqwest HTTP library which does all the actual work.
The only reason I could think of why adding your own certificate should break access to an RRDP server is if your certificate is broken. There should be a log message about this, though?
yushoyamaguchi
commented
1 year ago Thank you for your advice.
That is the difference between using --rrdp-root-cert option and not using it.
Not using
Being said that UnknownIssuer about certificate.
Using
It seems that the process is in progress, but the verification has not been completed.
By the way, I specify a certificate in the way like this pic using --rrdp-root-cert option .
Is this the correct type of certificate to specify in
--rrdp-root-cert option?
(ssl_certificate is that specified in nginx config file.)
partim
commented
1 year ago The rrdp-root-cert option is working as expected – Routinator updates successfully in the second example (“snapshot update completed”). The reason you have two ROAs in the first example is that Routinator falls back to fetching via rsync. Looks like there is a discrepancy between the data published via rsync and RRDP.
yushoyamaguchi
commented
1 year ago
As you said, configure of rrdp repository in krill was not correct.
Thank you very much for your amazing support.
This issue is a question, not a suggestion of a problem with the source code. Sorry. I am using the testbed functionality of krill and running krill and routinator in a docker container with it as the root certificate authority.
Configuring krill https://github.com/yushoyamaguchi/rpki_container/blob/main/my_krill1/krill_start7.sh Configuration of routinator https://github.com/yushoyamaguchi/rpki_container/blob/main/my_routinator1/routinator_start1.sh
The communication between krill and routinator is successful, but in the container on the routinator side I get
When the above code was executed, the following error was printed.
For the first error, the error message(UnknownIssuer) was not included in the routinator source code. Where are these error messages being output from?
I am using a certificate which is generated by krill testbed. ref:https://blog.apnic.net/2022/05/27/making-a-krill-sandbox/