search

dragonresearch / rpki.net

Dragon Research Labs rpki.net RPKI toolkit
54 stars 30 forks source link

roas or not #394

Closed sraustein closed 11 years ago

sraustein commented 11 years ago

logged in to ca0 gui as rgnet https://ca0.rpki.net/rpki/routes/ shows no roas https://ca0.rpki.net/rpki/roa/ shows lotso roas

Trac ticket #379 component gui priority major, owner melkins, created by randy on 2013-01-06T06:04:47Z, last modified 2013-01-08T23:45:42Z

sraustein commented 11 years ago

Is the timestamp for the rcynic data in the routes page somewhat recent?

Trac comment by melkins on 2013-01-07T23:08:39Z

sraustein commented 11 years ago

BGP data updated IPv4: 2013-01-07T22:25:57 IPv6:

rcynic cache updated 2013-01-07T23:10:04

Trac comment by randy on 2013-01-07T23:11:51Z

sraustein commented 11 years ago

Looks like rootd's certificate has expired, as I see this in /var/rcynic/data/rcynic.xml: {{{

rsync://ca0.rpki.net/tal/root.cer rsync://ca0.rpki.net/tal/root.cer rsync://ca0.rpki.net/tal/root.cer rsync://ca0.rpki.net/tal/root.cer

}}}

Trac comment by melkins on 2013-01-07T23:53:36Z

sraustein commented 11 years ago

ca0.rpki.net:/usr/local/share/rpki# openssl x509 -in publication/altCA.cer -noout -text unable to load certificate 62457:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

but i think you really mean rootd's cert, which has expired. and no one warned me!

now how do i fix cleanly?

randy

ca0.rpki.net:/usr/local/share/rpki# openssl x509 -in rootd.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=altCA BPKI resource CA Validity Not Before: Nov 13 20:01:18 2012 GMT Not After : Jan 12 20:01:18 2013 GMT Subject: CN=altCA BPKI rootd EE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:bc:ba:6c:b9:89:86:de:a2:ce:6f:c6:4c:b8:be: cd:57:83:bd:52:01:9a:ec:24:d9:7c:84:a7:10:35: 13:9c:84:7c:c4:dd:79:70:a2:f5:2d:fa:35:d6:87: ea:7e:6a:b9:d6:eb:82:77:9c:f8:a6:af:52:53:34: 6e:c3:83:ac:c6:a9:52:b1:e0:1c:2a:28:b1:cd:02: f1:03:18:37:00:9c:14:29:27:5f:c7:bf:83:03:62: df:8a:74:bb:5f:bb:4d:c1:18:81:a5:a5:59:08:8a: ce:ed:a5:07:dd:ee:57:cb:1b:f0:08:52:b3:99:2f: 36:31:82:bc:08:c9:d8:07:38:4d:80:b5:3d:e3:b0: 37:f8:ef:38:70:86:1f:53:c7:50:fc:99:e1:25:de: 56:f9:1a:2a:06:e3:38:6b:89:c1:ce:cd:6a:94:fb: 53:88:b5:e6:15:a7:2d:8d:46:58:79:b3:ae:e4:4a: 8e:9d:fb:7c:90:38:51:31:9e:26:91:8c:1d:6e:0b: 1e:12:98:ee:63:df:1f:57:b8:4d:d5:5e:90:3a:b9: 5e:65:cf:59:2c:40:ac:df:df:e6:66:6c:fc:3b:cc: cf:78:29:18:6c:c5:9f:27:70:61:38:25:a0:42:11: cb:6a:9f:a0:6d:49:e1:95:9e:f3:0e:b7:7c:fb:88: 20:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B9:CE:8F:68:EE:6D:63:CE:9A:F8:2F:AA:42:23:06:9E:C1:08:04:08 X509v3 Authority Key Identifier: keyid:8E:F6:AE:BE:6B:CC:DF:FE:B1:96:2C:13:C5:87:72:43:0C:EC:11:9C

Signature Algorithm: sha256WithRSAEncryption
    9e:38:e3:b4:30:98:14:38:20:7c:3d:61:d4:24:25:c0:8d:8c:
    c4:88:5f:f9:f0:b1:89:2a:3b:73:c6:f8:cc:52:39:d1:95:c4:
    b1:c4:cf:7a:87:5a:54:0d:1e:9d:5e:36:03:6d:83:39:ce:89:
    d8:81:a2:0d:e0:85:bb:48:72:3d:4d:4a:58:76:00:c5:6b:ac:
    e6:40:01:16:06:41:42:c2:3e:26:23:15:d8:7a:74:ff:15:25:
    4d:40:f6:69:6d:7f:d0:11:6d:9b:08:4d:68:70:90:a9:40:0b:
    e3:31:85:5b:1e:e8:f8:e5:91:99:49:98:ba:91:22:c6:30:e7:
    63:e6:cc:63:c7:fd:2f:7a:d2:cc:e3:a1:0b:e3:ed:1c:85:1b:
    34:cc:d7:a1:15:0b:2b:6f:0f:09:71:db:5e:64:df:e4:bb:f8:
    bb:da:19:bc:8a:ac:83:3a:6a:2c:1d:8b:9e:d7:05:9c:d4:5b:
    3a:26:b3:2b:67:ff:0e:6c:97:91:35:cc:99:d6:54:a6:d3:d3:
    36:58:79:e9:37:8a:07:57:21:12:19:d7:d5:59:14:87:dc:6a:
    c2:e1:99:61:ef:31:56:be:3b:4e:3f:21:8e:84:cc:6c:c7:06:
    d8:73:6a:92:29:65:c8:a1:2f:f8:c9:1f:5e:9e:07:d7:dd:39:
    d8:01:4c:1a

Trac comment by randy on 2013-01-08T00:19:50Z

sraustein commented 11 years ago

so o why was i not warned? o why was it not fixed automagically? o how do i fix it now? o where's breakfast? i've been up for four hours!

Trac comment by randy on 2013-01-08T00:29:25Z

sraustein commented 11 years ago

ca0 does not appear to be configured to run the expiration checking script (I just added the documentation, as it was missing):

https://trac.rpki.net/wiki/doc/RPKI/CA/UI/GUI#expire-check

Trac comment by melkins on 2013-01-08T00:34:17Z

sraustein commented 11 years ago

i# /usr/local/sbin/rkpigui-check-expired -bash: /usr/local/sbin/rkpigui-check-expired: No such file or directory

Trac comment by randy on 2013-01-08T00:58:22Z

sraustein commented 11 years ago

fixed: /usr/local/sbin/rpkigui-check-expired

Trac comment by melkins on 2013-01-08T01:02:24Z

sraustein commented 11 years ago

ca0.rpki.net:/usr/local/share/rpki# /usr/local/sbin/rpkigui-check-expired Traceback (most recent call last): File "/usr/local/sbin/rpkigui-check-expired", line 178, in list_received_resources(sys.stdout, h) File "/usr/local/lib/python2.7/site-packages/rpki/gui/app/glue.py", line 81, in list_received_resources models.ResourceCert.objects.filter(conf=conf).delete() File "/usr/local/lib/python2.7/site-packages/django/db/models/query.py", line 513, in delete collector.collect(del_query) File "/usr/local/lib/python2.7/site-packages/django/db/models/deletion.py", line 175, in collect if not sub_objs: File "/usr/local/lib/python2.7/site-packages/django/db/models/query.py", line 130, in nonzero iter(self).next() File "/usr/local/lib/python2.7/site-packages/django/db/models/query.py", line 118, in _result_iter self._fill_cache() File "/usr/local/lib/python2.7/site-packages/django/db/models/query.py", line 892, in _fill_cache self._result_cache.append(self._iter.next()) File "/usr/local/lib/python2.7/site-packages/django/db/models/query.py", line 301, in iterator obj = model(*row[index_start:aggregate_start]) File "/usr/local/lib/python2.7/site-packages/django/db/models/base.py", line 299, in init for val, field in izip(args, fields_iter): rpki.POW.POWError: Unknown IP version number

Trac comment by randy on 2013-01-08T02:39:03Z

sraustein commented 11 years ago

Have you updated and reinstalled lately? This looks like the issue fixed in https://trac.rpki.net/ticket/355

Trac comment by melkins on 2013-01-08T04:08:41Z

sraustein commented 11 years ago

Have you updated and reinstalled lately? This looks like the issue fixed in https://trac.rpki.net/ticket/355

just did. restarted daemons. problem persists

Jan 8 04:21:56 ca0 rpkid[67123]: : Error on HTTP client connection localhost:4401 <class 'socket.error'> [Errno 61] ECONNREFUSED Jan 8 04:21:56 ca0 rpkid[67123]: Exception caught in handle_error() at /usr/local/lib/python2.7/site-packages/rpki/http.py:461 called from /usr/local/lib/python2.7/site-packages/rpki/http.py:824 Jan 8 04:21:56 ca0 rpkid[67123]: Exception caught in handle_error() at /usr/local/lib/python2.7/site-packages/rpki/http.py:461 called from /usr/local/lib/python2.7/site-packages/rpki/http.py:824 Jan 8 04:21:56 ca0 rpkid[67123]: Traceback (most recent call last): Jan 8 04:21:56 ca0 rpkid[67123]: File "/usr/local/lib/python2.7/site-packages/rpki/http.py", line 697, in gotaddrinfo Jan 8 04:21:56 ca0 rpkid[67123]: self.connect((self.address, self.port)) Jan 8 04:21:56 ca0 rpkid[67123]: File "/usr/local/lib/python2.7/asyncore.py", line 353, in connect Jan 8 04:21:56 ca0 rpkid[67123]: raise socket.error(err, errorcode[err]) Jan 8 04:21:56 ca0 rpkid[67123]: error: [Errno 61] ECONNREFUSED Jan 8 04:21:56 ca0 rpkid[67123]: : Closing due to error Jan 8 04:21:56 ca0 rpkid[67123]: : Returning exception error(61, 'ECONNREFUSED') to caller: [Errno 61] ECONNREFUSED Jan 8 04:21:56 ca0 rpkid[67123]: Exception caught in list_failed() at /usr/local/lib/python2.7/site-packages/rpki/rpkid_tasks.py:168 called from /usr/local/lib/python2.7/site-packages/rpki/http.py:930 Jan 8 04:21:56 ca0 rpkid[67123]: Exception caught in list_failed() at /usr/local/lib/python2.7/site-packages/rpki/rpkid_tasks.py:168 called from /usr/local/lib/python2.7/site-packages/rpki/http.py:930 Jan 8 04:21:56 ca0 rpkid[67123]: Traceback (most recent call last): Jan 8 04:21:56 ca0 rpkid[67123]: File "/usr/local/lib/python2.7/site-packages/rpki/http.py", line 697, in gotaddrinfo Jan 8 04:21:56 ca0 rpkid[67123]: self.connect((self.address, self.port)) Jan 8 04:21:56 ca0 rpkid[67123]: File "/usr/local/lib/python2.7/asyncore.py", line 353, in connect Jan 8 04:21:56 ca0 rpkid[67123]: raise socket.error(err, errorcode[err]) Jan 8 04:21:56 ca0 rpkid[67123]: error: [Errno 61] ECONNREFUSED Jan 8 04:21:56 ca0 rpkid[67123]: Couldn't get resource class list from parent <rpki.left_right.parent_elt {altCA} altCA>, skipping: [Errno 61] ECONNREFUSED (error(61, 'ECONNREFUSED'))

and

ca0.rpki.net:/usr/local/src/net/rpki# /usr/local/sbin/rpkigui-check-expired altCA's HostedCA altCA will expire on 2013-01-12T20:41:38Z altCA's BSC bsc will expire on 2013-01-12T20:41:38Z altCA's Child altCA's child IETF will expire on 2013-01-12T20:47:37Z altCA's Child altCA's child rgnet will expire on 2013-01-12T20:46:18Z altCA's Repository altCA's repository altCA will expire on 2013-01-12T20:41:38Z Unable to locate rescert in rcynic cache: handle=altCA uri=rsync://ca0.rpki.net/rpki/altCA.cer not_after=2013-02-05 05:54:45

Traceback (most recent call last): File "/usr/local/sbin/rpkigui-check-expired", line 211, in message=t + s, from_email=from_email, recipient_list=notify_emails) File "/usr/local/lib/python2.7/site-packages/django/core/mail/init.py", line 61, in send_mail connection=connection).send() File "/usr/local/lib/python2.7/site-packages/django/core/mail/message.py", line 248, in send return self.get_connection(fail_silently).send_messages([self]) File "/usr/local/lib/python2.7/site-packages/django/core/mail/backends/smtp.py", line 85, in send_messages new_conn_created = self.open() File "/usr/local/lib/python2.7/site-packages/django/core/mail/backends/smtp.py", line 48, in open local_hostname=DNS_NAME.get_fqdn()) File "/usr/local/lib/python2.7/smtplib.py", line 249, in init (code, msg) = self.connect(host, port) File "/usr/local/lib/python2.7/smtplib.py", line 309, in connect self.sock = self._get_socket(host, port, self.timeout) File "/usr/local/lib/python2.7/smtplib.py", line 284, in _get_socket return socket.create_connection((port, host), timeout) File "/usr/local/lib/python2.7/socket.py", line 571, in create_connection raise err socket.error: [Errno 61] Connection refused

Trac comment by randy on 2013-01-08T04:24:29Z

sraustein commented 11 years ago

ok, econnrefused was smtp agent not running

rerun

ca0.rpki.net:/usr/local/src/net/rpki# /usr/local/sbin/rpkigui-check-expired altCA's HostedCA altCA will expire on 2013-01-12T20:41:38Z altCA's BSC bsc will expire on 2013-01-12T20:41:38Z altCA's Child altCA's child IETF will expire on 2013-01-12T20:47:37Z altCA's Child altCA's child rgnet will expire on 2013-01-12T20:46:18Z altCA's Repository altCA's repository altCA will expire on 2013-01-12T20:41:38Z Unable to locate rescert in rcynic cache: handle=altCA uri=rsync://ca0.rpki.net/rpki/altCA.cer not_after=2013-02-05 05:54:45

and no termination, at least after five mins

^CTraceback (most recent call last): File "/usr/local/sbin/rpkigui-check-expired", line 211, in message=t + s, from_email=from_email, recipient_list=notify_emails) File "/usr/local/lib/python2.7/site-packages/django/core/mail/init.py", line 61, in send_mail connection=connection).send() File "/usr/local/lib/python2.7/site-packages/django/core/mail/message.py", line 248, in send return self.get_connection(fail_silently).send_messages([self]) File "/usr/local/lib/python2.7/site-packages/django/core/mail/backends/smtp.py", line 85, in send_messages new_conn_created = self.open() File "/usr/local/lib/python2.7/site-packages/django/core/mail/backends/smtp.py", line 48, in open local_hostname=DNS_NAME.get_fqdn()) File "/usr/local/lib/python2.7/smtplib.py", line 249, in init (code, msg) = self.connect(host, port) File "/usr/local/lib/python2.7/smtplib.py", line 310, in connect (code, msg) = self.getreply() File "/usr/local/lib/python2.7/smtplib.py", line 354, in getreply line = self.file.readline() File "/usr/local/lib/python2.7/socket.py", line 447, in readline data = self._sock.recv(self._rbufsize) KeyboardInterrupt

randy

Trac comment by randy on 2013-01-08T04:29:57Z

sraustein commented 11 years ago

looks like the smtp server on localhost is non-responsive.

do you get the 220 reply when you 'telnet localhost 25'

Trac comment by melkins on 2013-01-08T04:35:32Z

sraustein commented 11 years ago

re-whacked smtp

ca0.rpki.net:/usr/local/src/net/rpki# /usr/local/sbin/rpkigui-check-expired altCA's HostedCA altCA will expire on 2013-01-12T20:41:38Z altCA's BSC bsc will expire on 2013-01-12T20:41:38Z altCA's Child altCA's child IETF will expire on 2013-01-12T20:47:37Z altCA's Child altCA's child rgnet will expire on 2013-01-12T20:46:18Z altCA's Repository altCA's repository altCA will expire on 2013-01-12T20:41:38Z Unable to locate rescert in rcynic cache: handle=altCA uri=rsync://ca0.rpki.net/rpki/altCA.cer not_after=2013-02-05 05:54:45

rgnet's HostedCA rgnet will expire on 2013-01-12T20:46:18Z rgnet's BSC bsc will expire on 2013-01-12T20:46:19Z rgnet's Parent rgnet's parent altCA will expire on 2013-01-12T20:46:18Z rgnet's Repository rgnet's repository altCA will expire on 2013-01-12T20:46:18Z Unable to locate rescert in rcynic cache: handle=rgnet uri=rsync://ca0.rpki.net/rpki/altCA/1/3T4fihnQdxX8Q1IGzosxEoQYMjU.cer not_after=2013-11-13 20:46:18

IETF's HostedCA IETF will expire on 2013-01-12T20:47:37Z IETF's BSC bsc will expire on 2013-01-12T20:47:37Z IETF's Parent IETF's parent altCA will expire on 2013-01-12T20:47:37Z IETF's Repository IETF's repository altCA will expire on 2013-01-12T20:47:37Z Unable to locate rescert in rcynic cache: handle=IETF uri=rsync://ca0.rpki.net/rpki/altCA/1/QtQuBTaAD9bUfoS49ML7WYblA-c.cer not_after=2013-11-13 20:47:37

Trac comment by randy on 2013-01-08T04:41:30Z

sraustein commented 11 years ago

Unable to locate rescert in rcynic cache: handle=altCA uri=rsync://ca0.rpki.net/rpki/altCA.cer not_after=2013-02-05 05:54:45

These error is expected given your current expired rootd cert. The script asks rpkid what it has published, and the script can't find it in the rcynic cache, because it is not valid.

Trac comment by melkins on 2013-01-08T04:50:05Z

sraustein commented 11 years ago

it is really farbled. now dashboard no longer has roa etc options, only routes

randy

Trac comment by randy on 2013-01-08T05:23:48Z

sraustein commented 11 years ago

see what this says:

irbe_cli list_received_resources --self_handle=rgnet

my guess is you are hosed until you solve #382.

Trac comment by melkins on 2013-01-08T05:34:02Z

sraustein commented 11 years ago

ca0.rpki.net:/usr/local/src/net/rpki# irbe_cli list_received_resources --self_handle=rgnet

<?xml version='1.0' encoding='us-ascii'?>

<?xml version='1.0' encoding='us-ascii'?>

and if you think that is clear to me, ... though it does look to not be expired

randy

Trac comment by randy on 2013-01-08T05:39:52Z

sraustein commented 11 years ago

and if you think that is clear to me, ... though it does look to not be expired

yup, but check /var/rcynic/data/rcynic.xml to see if it actually got picked up. it won't if a (grand)parent cert doesn't validate.

the routes page in the gui shows data from the rcynic cache, while the dashboard shows what rpkid claims it has published. the idea is that the routes page shows you what other RPs will see.

Trac comment by melkins on 2013-01-08T05:46:08Z

sraustein commented 11 years ago

check /var/rcynic/data/rcynic.xml to see if it actually got picked up.

'check'?

Trac comment by randy on 2013-01-08T05:55:43Z

sraustein commented 11 years ago

so my root.cer expired. and it was not renewed by the commands i was given. i hacked the web browser to let me see rcynic, and

[[Image(cert-exp.jpg)]]

if i just

$ openssl x509 -req -sha256 \ -signkey root.key -in root.req \ -outform DER -out root.cer \ -extfile root.conf -extensions x509v3_extensions

will it re-sign, the keys will not change, and i can push the expiration out?

and, in the docco, it should tell you how to make the root cert have a long life.

Trac comment by randy on 2013-01-08T07:36:09Z

sraustein commented 11 years ago

cert-exp.jpg Added by email2trac Trac attachment by randy on 2013-01-08T23:45:42Z

sraustein commented 11 years ago

These error is expected given your current expired rootd cert.

the root.cer seems to be what has expired, yes?

Trac comment by randy on 2013-01-08T07:36:57Z

sraustein commented 11 years ago

$ openssl x509 -req -sha256 \ -signkey root.key -in root.req \ -outform DER -out root.cer \ -extfile root.conf -extensions x509v3_extensions \ -days 1825

seems to have worked

ca0.rpki.net:/usr/local/share/rpki# /usr/local/sbin/rpkigui-check-expired ca0.rpki.net:/usr/local/share/rpki#

web page still does not give me a roas button etc. just routes, dashboard, and identity.

randy

Trac comment by randy on 2013-01-08T08:03:09Z

sraustein commented 11 years ago

web page still does not give me a roas button etc. just routes, dashboard, and identity.

can you send a screenshot of your dashboard. not clear to me what you mean by this.

Trac comment by melkins on 2013-01-08T17:09:08Z

sraustein commented 11 years ago

[[Image(dash.jpg)]]

Trac comment by randy on 2013-01-08T21:51:19Z

sraustein commented 11 years ago

dash.jpg Added by email2trac Trac attachment by randy on 2013-01-08T23:45:42Z

sraustein commented 11 years ago

is this the same bug as https://trac.rpki.net/ticket/325 ?

i just merged the support for added a quick link for generating roa from the unused resources list

Trac comment by melkins on 2013-01-08T23:21:54Z

sraustein commented 11 years ago

is this the same bug as https://trac.rpki.net/ticket/325 ?

no. 325 is a feature request. this is a bug.

let me open a clean ticket

Trac comment by randy on 2013-01-08T23:29:53Z

sraustein commented 11 years ago

if i explicitly try to go to the roa page, 404

Page not found (404) Request Method: GET Request URL: https://ca0.rpki.net/rpki/roa/ Using the URLconf defined in rpki.gui.urls, Django tried these URL patterns, in this order: ^api/ ^cacheview/ ^rpki/ ^$ ^rpki/ ^conf/export$ ^rpki/ ^conf/list$ ^rpki/ ^conf/select$ ^rpki/ ^parent/import$ ^rpki/ ^parent/(?P\d+)/$ ^rpki/ ^parent/(?P\d+)/delete$ ^rpki/ ^parent/(?P\d+)/export$ ^rpki/ ^child/import$ ^rpki/ ^child/(?P\d+)/$ ^rpki/ ^child/(?P\d+)/add_address$ ^rpki/ ^child/(?P\d+)/add_asn$ ^rpki/ ^child/(?P\d+)/delete$ ^rpki/ ^child/(?P\d+)/edit$ ^rpki/ ^child/(?P\d+)/export$ ^rpki/ ^gbr/create$ [name='gbr-create'] ^rpki/ ^gbr/(?P\d+)/$ [name='gbr-detail'] ^rpki/ ^gbr/(?P\d+)/edit$ [name='gbr-edit'] ^rpki/ ^gbr/(?P\d+)/delete$ [name='gbr-delete'] ^rpki/ ^refresh$ ^rpki/ ^client/import$ ^rpki/ ^client/(?P\d+)/$ ^rpki/ ^client/(?P\d+)/delete$ ^rpki/ ^client/(?P\d+)/export$ ^rpki/ ^repo/import$ ^rpki/ ^repo/(?P\d+)/$ ^rpki/ ^repo/(?P\d+)/delete$ ^rpki/ ^roa/(?P\d+)/$ ^rpki/ ^roa/create$ ^rpki/ ^roa/confirm$ ^rpki/ ^roa/(?P\d+)/delete$ ^rpki/ ^route/$ ^rpki/ ^route/(?P\d+)/$ ^rpki/ ^user/$ ^rpki/ ^user/create$ ^rpki/ ^user/(?P\d+)/delete$ ^rpki/ ^user/(?P\d+)/edit$ ^accounts/login/$ ^accounts/logout/$ The current URL, rpki/roa/, didn't match any of these. You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 404 page.

Trac comment by randy on 2013-01-08T23:39:24Z

sraustein commented 11 years ago

perhaps a silly question, but did you scroll down on that page? i can see from your scrollbar you are only viewing half the page. in https://trac.rpki.net/ticket/328 you stated you wanted everything you own on a single page.

Trac comment by melkins on 2013-01-08T23:43:52Z

sraustein commented 11 years ago

oh , it all moved down page. apologies.

Trac comment by randy on 2013-01-08T23:45:42Z

sraustein commented 11 years ago

Closed with resolution invalid