Bad trust anchor (?) leaves status as 'pending'

[rlhennig]

Not exactly sure how I did this, but somehow I have two ARIN TALs and one of them is somehow invalid, and the state is stuck to 'pending.' This results in the server status as 'false':

{"data":{"ready":false,"sessionId":11795,"serialNumber":0,"announcementsCount":0,"deltas":[]}}

Entries like this are in the logs as a result:

rpki-rtr-server.sh: 2020-09-08 15:55:13.968 INFO 13387 --- [eduler_Worker-8] n.r.r.r.a.v.RefreshCacheController : validator http://172.31.11.12:8080/api/objects/validated not ready yet, will retry later

And a curl against the validated object shows the duplicate TAs:

[bla bla bla output cut]
{
      "type" : "trust-anchor",
      "id" : 5,
      "name" : "ARIN",
      "locations" : [ "rsync://rpki.arin.net/repository/arin-rpki-ta.cer" ],
      "subjectPublicKeyInfo" : "MIIBIjA-bla-bla-bla",
      "rsyncPrefetchUri" : "rsync://rpki.arin.net/repository/",
      "preconfigured" : false,
      "initialCertificateTreeValidationRunCompleted" : true,
      "certificate" : "MIIEczCCA1ubla-bla-bla",
      "links" : {
        "self" : "http://172.31.11.11:8080/api/trust-anchors/5"
      }
    }, {
      "type" : "trust-anchor",
      "id" : 6,
      "name" : "ARIN",
      "locations" : [ "rsync://rpki.arin.net/repository/arin-rpki-ta.cer" ],
      "subjectPublicKeyInfo" : "MIIBIjA-bla-bla-bla",
      "rsyncPrefetchUri" : "rsync://rpki.arin.net/repository/",
      "preconfigured" : false,
      "initialCertificateTreeValidationRunCompleted" : false,
      "certificate" : "MIIEczCCA1u-bla-bla-bla",

I need to get this 6th one removed, I think, to get it working properly--not exactly sure how. Removing the database via sudo rm -Rf /var/lib/rpki-validator-3/db/* as per Troubleshooting wiki seems to make no difference, as the duplicate TAL appears to remain. Healthcheck output:

curl http://172.31.11.12:8080/api/healthcheck
{
  "data" : {
    "overalStatus" : "OK",
    "trustAnchorReady" : [ {
      "taName" : "AfriNIC RPKI Root",
      "complete" : true
    }, {
      "taName" : "APNIC RPKI Root",
      "complete" : true
    }, {
      "taName" : "ARIN",
      "complete" : true
    }, {
      "taName" : "ARIN",
      "complete" : false
    }, {
      "taName" : "LACNIC RPKI Root",
      "complete" : true
    }, {
      "taName" : "RIPE NCC RPKI Root",
      "complete" : true
    } ],
    "bgpDumpReady" : {
      "https://www.ris.ripe.net/dumps/riswhoisdump.IPv6.gz" : true,
      "https://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gz" : true
    },
    "databaseStatus" : {
      "READONLY_TRANSACTIONS" : "1590410",
      "DISK_USAGE" : "749898183",
      "BYTES_WRITTEN" : "99785804231",
      "FLUSHED_TRANSACTIONS" : "47528",
      "ACTIVE_TRANSACTIONS" : "0",
      "BYTES_MOVED_BY_GC" : "198598852",
      "BYTES_READ" : "28188344320",
      "TRANSACTIONS" : "196183",
      "UTILIZATION_PERCENT" : "50"
    },
    "buildInformation" : {
      "version" : "3.1-2020.08.20.14.52"
    }
  }

Any thoughts?

[rlhennig]

This was resolved with a simple yum uninstall rpki-validator and a removal of the /var/lib/rpki-validator-3/ dir and a reinstall. Not sure what went wrong but that was the easiest solution.

[ties]

Technically it is possible to delete the additional trust anchor through the API. However it should not be possible to upload a duplicate.

This is being tracked on our internal issue tracker.