work0 whines a lot

[sraustein]

{{{ Aug 20 05:27:33 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:29:34 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:31:39 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:33:35 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:35:36 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:37:36 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:39:37 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:41:41 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:43:38 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:45:38 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:47:38 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:49:38 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:51:43 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc Aug 20 05:53:40 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc

}}}

Trac ticket #14 component rpkid priority minor, owner sra, created by randy@psg.com on 2011-08-22T05:14:17Z, last modified 2012-02-20T20:27:09Z

[sraustein]

{{{ the client that's making this complaint (not shown in your excerpt, perhaps due to a log level oops) is saying that its parent (rgnet) claims to have issued a cert to it that it doesn't know about. we don't clear this automatically because we don't know why or how the child forgot about the cert, the theory was that the child might be able to restore from backup or something so we should just just revoke automatically.

there's a control operation in the left-right protocol that will trigger a manual revoke in this case. irbe_cli supports it, dunno whether the gui does yet.

}}}

Trac comment by sra on 2011-08-22T05:15:53Z

[sraustein]

{{{ work0.psg.com:/root# irbe_cli --config=/usr/local/var/rpki/conf/rgnet/rpki.conf parent --revoke_forgotten Traceback (most recent call last): File "/usr/local/sbin/irbe_cli", line 323, in client_key = rpki.x509.RSA( Auto_file = cfg.get("rpkid-irbe-key")), File "/usr/X11R6/lib/python2.6/site-packages/rpki/x509.py", line 159, in init self.set(**kw) File "/usr/X11R6/lib/python2.6/site-packages/rpki/x509.py", line 190, in set f = open(kw[name], "rb") IOError: [Errno 2] No such file or directory: 'bpki/servers/irbe.key'

and if i s/parent/rgnet/ i get the usage: info

randy, confuddled as usual

}}}

Trac comment by sra on 2011-08-22T05:17:00Z

[sraustein]

{{{

work0.psg.com:/root# irbe_cli --config=/usr/local/var/rpki/conf/rgnet/rpki.conf parent --revoke_forgotten IOError: [Errno 2] No such file or directory: 'bpki/servers/irbe.key'

Several different problems here, and part of the reason why this sort of control needs to become part of the GUI:

1) You told irbe_cli to use a config file that contains relative filenames, but you weren't running in the directory where those filenames make sense. If the filenames in that config file were absolute, you wouldn't have gotten this error (you would, however, have gotten another one).

2) irbe_cli's syntax is, um, obscure. In this case, you omitted the --self_handle and --parent_handle attributes. Given the log message we saw, --parent_handle=rgnet would have been correct, the question is which --self_handle you should have used (rgnet has several dozen children due to the lab setup). That should be somewhere in the rpkid.log, but may not be showing up due to log level settings (read: the error message that started this thread is not self-contained, and probably needs to be).

3) The GUI for this user should be displaying the problem and offering a button to click to fix it, since the only reason we don't fix this automatically is paranoia about automatically deleting keys that might be recoverable from backup.

}}}

Trac comment by sra on 2011-08-22T14:51:26Z

[sraustein]

r3958 added a directory parameter to rpki.conf to make it more obvious that filenames are relative and to make it easier to change them to be absolute.

Trac comment by sra on 2011-08-22T15:21:14Z

[sraustein]

{{{ Note that we have been here before:

At Wed, 09 Mar 2011 05:59:40 +0900, Randy Bush wrote:

it was trying to give you the usage message because i keyboarded the command incorrectly. try:

$ cd /where/ever/rgnet/keeps/its/files $ irbe_cli -c myrpki.conf self --self_handle labuser32 --action set --revoke_forgotten

now why did i not think of that? :)

better

work0.psg.com:/usr/local/var/rpki/conf/rgnet# irbe_cli -c rpki.conf self --self_handle labuser32 --action set --revoke_forgotten

<?xml version='1.0' encoding='us-ascii'?>

<?xml version='1.0' encoding='us-ascii'?>

}}}

Trac comment by sra on 2011-08-28T16:38:16Z

[sraustein]

{{{

$ irbe_cli -c myrpki.conf self --self_handle labuser32 --action set --revoke_forgotten

but what is the self_handle for

Aug 29 00:09:32 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc

}}}

Trac comment by randy@psg.com on 2011-08-29T08:32:34Z

[sraustein]

{{{ work0.psg.com:/# find . -name myrpki.conf work0.psg.com:/#

randy

}}}

Trac comment by randy@psg.com on 2011-08-29T09:10:32Z

[sraustein]

{{{

$ irbe_cli -c myrpki.conf self --self_handle labuser32 --action set --revoke_forgotten

but what is the self_handle for

Aug 29 00:09:32 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc

It helps to look at a bit more of the log:

Aug 29 15:49:17 work0 rpkid[32739]: Self labuser05[9] polling parents Aug 29 15:49:17 work0 rpkid[32739]: Sending "list" request to parent rgnet Aug 29 15:49:17 work0 rpkid[32739]: Serving list query from child labuser05 [sender labuser05, recipient rgnet] Aug 29 15:49:17 work0 rpkid[32739]: Parent rgnet and I agree that I have SKI w1cxtC6i9jTHbv_tFPXYnvK7tXI in resource class 635 Aug 29 15:49:17 work0 rpkid[32739]: Parent rgnet thinks I have SKI o5hYOEcUAwfPuc3eZKP9pwM7EAc in resource class 635 but I don't think so Aug 29 15:49:17 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc

So self_handle is labuser05.

work0.psg.com:/# find . -name myrpki.conf work0.psg.com:/#

We renamed myrpki.conf => rpki.conf a while ago. The message I quoted was from before that change.

}}}

Trac comment by sra on 2011-08-29T16:12:45Z

[sraustein]

but what is the self_handle for

Aug 29 00:09:32 work0 rpkid[32739]: Certificate SKIs in resource class 635 in list_response from parent rgnet that are missing from our database: o5hYOEcUAwfPuc3eZKP9pwM7EAc

Should I interpret this as request that the self_handle appear in that log line?

Trac comment by sra on 2011-08-29T18:11:38Z

[sraustein]

In [4355]: {{{

!CommitTicketReference repository="" revision="4355"

Include self_handle in up-down resource mismatch reports. Closes #14. }}}

Trac comment by sra on 2012-02-20T20:27:09Z

[sraustein]

Closed with resolution fixed