sraustein
commented
11 years ago RPKI_unknown.tgz html file and css refered from it. Trac attachment by taiji-k on 2013-02-11T17:07:39Z
Closed sraustein closed 11 years ago
sraustein
commented
11 years ago RPKI_unknown.tgz html file and css refered from it. Trac attachment by taiji-k on 2013-02-11T17:07:39Z
sraustein
commented
11 years ago Did you set up a cron job to run the rpkigui-rcynic script described here?
https://trac.rpki.net/wiki/doc/RPKI/CA/UI/GUI#InstallationofRouteViewsSupportfortheGUI
Trac comment by melkins on 2013-01-29T22:01:05Z
sraustein
commented
11 years ago Oops. "/usr/local/sbin/rpkigui-rcynic -l error" was not in /etc/cron.daily/rcynic.
/usr/bin/chrootuid /var/rcynic rcynic /bin/rcynic -c /etc/rcynic.conf || exit /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /var/www/rcynic cd /var/rpki-rtr /usr/bin/sudo -u rcynic /usr/local/bin/rtr-origin --cronjob /var/rcynic/data/authenticated /usr/local/sbin/rpkigui-rcynic -l error
30 /2 * * \ root /usr/local/sbin/do-routeviews #
I've executed by hand them, but no changes happen "unknown" in the GUI. Does "Jitter" need to be care?
jitter = 10 #
Trac comment by taiji-k on 2013-01-30T12:09:06Z
sraustein
commented
11 years ago There is no date under the rcynic cache last updated which means that the rpkigui-rcynic script must have encountered some error and did not complete. Can you check for errors generated in your cron script?
Trac comment by melkins on 2013-01-31T00:23:25Z
sraustein
commented
11 years ago Two logs below, (1) is from runnig /etc/cron.daily/rcynic in command-lines, (2) is error output after (1).
In (2), 6 certs used for signing ROA seem not to be found by rpkigui-rcynic.
And on GUI, some LIR's Resources has nothing. Is there any way to issue resource cert after "rpkic load_prefixes"?
(1) /var/log/syslog Jan 31 17:06:58 rpki01 rsyncd[29299]: connect from rpki01.nic.ad.jp (202.12.30.91) Jan 31 17:06:58 rpki01 rsyncd[29299]: rsync on repository/jpnic-ta-02_cert.der from rpki01.nic.ad.jp (202.12.30.91) Jan 31 17:06:59 rpki01 rsyncd[29299]: building file list Jan 31 17:06:59 rpki01 rsyncd[29299]: sent 83 bytes received 33 bytes total size 15161 Jan 31 17:06:59 rpki01 rsyncd[29302]: connect from rpki01.nic.ad.jp (202.12.30.91) Jan 31 17:06:59 rpki01 rsyncd[29302]: rsync on repository/ from rpki01.nic.ad.jp (202.12.30.91) Jan 31 17:06:59 rpki01 rsyncd[29302]: building file list Jan 31 17:06:59 rpki01 rsyncd[29302]: send rpki01.nic.ad.jp [202.12.30.91] repository () JPNIC02/1/MEELLWAo1ssjtKv4ht_QMxI3og8.crl 678 Jan 31 17:06:59 rpki01 rsyncd[29302]: send rpki01.nic.ad.jp [202.12.30.91] repository () JPNIC02/1/MEELLWAo1ssjtKv4ht_QMxI3og8.mft 2409 Jan 31 17:06:59 rpki01 rsyncd[29302]: send rpki01.nic.ad.jp [202.12.30.91] repository () JPNIC02/IZUMI/10/Zcm_vEvxqcusNgara3ouYYPSM-s.crl 434 Jan 31 17:06:59 rpki01 rsyncd[29302]: send rpki01.nic.ad.jp [202.12.30.91] repository () JPNIC02/IZUMI/10/Zcm_vEvxqcusNgara3ouYYPSM-s.mft 2103 Jan 31 17:06:59 rpki01 rsyncd[29302]: sent 6551 bytes received 193 bytes total size 129291 Jan 31 17:07:01 rpki01 rtr-origin/cronjob[29321]: # No change, new version not needed
(2)
INFO:main:log level set to DEBUG INFO:main:updating labels... DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_GET_CRL kind=bad desc=unable to get certificate CRL DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE kind=bad desc=unable to decrypt certificate's signature DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE kind=bad desc=unable to decrypt CRL's signature DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY kind=bad desc=unable to decode issuer public key DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_SIGNATURE_FAILURE kind=bad desc=certificate signature failure DEBUG:main:label=mib_openssl_X509_V_ERR_CRL_SIGNATURE_FAILURE kind=bad desc=CRL signature failure DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_NOT_YET_VALID kind=bad desc=certificate is not yet valid DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_HAS_EXPIRED kind=bad desc=certificate has expired DEBUG:main:label=mib_openssl_X509_V_ERR_CRL_NOT_YET_VALID kind=bad desc=CRL is not yet valid DEBUG:main:label=mib_openssl_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD kind=bad desc=format error in certificate's notBefore field DEBUG:main:label=mib_openssl_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD kind=bad desc=format error in certificate's notAfter field DEBUG:main:label=mib_openssl_X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD kind=bad desc=format error in CRL's lastUpdate field DEBUG:main:label=mib_openssl_X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD kind=bad desc=format error in CRL's nextUpdate field DEBUG:main:label=mib_openssl_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT kind=bad desc=self signed certificate DEBUG:main:label=mib_openssl_X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN kind=bad desc=self signed certificate in certificate chain DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY kind=bad desc=unable to get local issuer certificate DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE kind=bad desc=unable to verify the first certificate DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_CHAIN_TOO_LONG kind=bad desc=certificate chain too long DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_REVOKED kind=bad desc=certificate revoked DEBUG:main:label=mib_openssl_X509_V_ERR_INVALID_CA kind=bad desc=invalid CA certificate DEBUG:main:label=mib_openssl_X509_V_ERR_PATH_LENGTH_EXCEEDED kind=bad desc=path length constraint exceeded DEBUG:main:label=mib_openssl_X509_V_ERR_INVALID_PURPOSE kind=bad desc=unsupported certificate purpose DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_UNTRUSTED kind=bad desc=certificate not trusted DEBUG:main:label=mib_openssl_X509_V_ERR_CERT_REJECTED kind=bad desc=certificate rejected DEBUG:main:label=mib_openssl_X509_V_ERR_AKID_SKID_MISMATCH kind=bad desc=authority and subject key identifier mismatch DEBUG:main:label=mib_openssl_X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH kind=bad desc=authority and issuer serial number mismatch DEBUG:main:label=mib_openssl_X509_V_ERR_KEYUSAGE_NO_CERTSIGN kind=bad desc=key usage does not include certificate signing DEBUG:main:label=mib_openssl_X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER kind=bad desc=unable to get CRL issuer certificate DEBUG:main:label=mib_openssl_X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION kind=bad desc=unhandled critical extension DEBUG:main:label=mib_openssl_X509_V_ERR_KEYUSAGE_NO_CRL_SIGN kind=bad desc=key usage does not include CRL signing DEBUG:main:label=mib_openssl_X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION kind=bad desc=unhandled critical CRL extension DEBUG:main:label=mib_openssl_X509_V_ERR_INVALID_NON_CA kind=bad desc=invalid non-CA certificate (has CA markings) DEBUG:main:label=mib_openssl_X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED kind=bad desc=proxy path length constraint exceeded DEBUG:main:label=mib_openssl_X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE kind=bad desc=key usage does not include digital signature DEBUG:main:label=mib_openssl_X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED kind=bad desc=proxy certificates not allowed, please set the appropriate flag DEBUG:main:label=mib_openssl_X509_V_ERR_INVALID_EXTENSION kind=bad desc=invalid or inconsistent certificate extension DEBUG:main:label=mib_openssl_X509_V_ERR_INVALID_POLICY_EXTENSION kind=bad desc=invalid or inconsistent certificate policy extension DEBUG:main:label=mib_openssl_X509_V_ERR_NO_EXPLICIT_POLICY kind=bad desc=no explicit policy DEBUG:main:label=mib_openssl_X509_V_ERR_UNNESTED_RESOURCE kind=bad desc=RFC 3779 resource not subset of parent's resources DEBUG:main:label=aia_extension_missing kind=bad desc=AIA extension missing DEBUG:main:label=aia_extension_forbidden kind=bad desc=AIA extension forbidden DEBUG:main:label=aia_uri_missing kind=bad desc=AIA URI missing DEBUG:main:label=aki_extension_issuer_mismatch kind=bad desc=AKI extension issuer mismatch DEBUG:main:label=aki_extension_missing kind=bad desc=AKI extension missing DEBUG:main:label=aki_extension_wrong_format kind=bad desc=AKI extension is wrong format DEBUG:main:label=bad_asidentifiers kind=bad desc=Bad ASIdentifiers extension DEBUG:main:label=bad_cms_econtenttype kind=bad desc=Bad CMS eContentType DEBUG:main:label=bad_cms_si_contenttype kind=bad desc=Bad CMS SI ContentType DEBUG:main:label=bad_cms_signer_infos kind=bad desc=Bad CMS signerInfos DEBUG:main:label=bad_crl kind=bad desc=Bad CRL DEBUG:main:label=bad_ipaddrblocks kind=bad desc=Bad IPAddrBlocks extension DEBUG:main:label=bad_key_usage kind=bad desc=Bad keyUsage DEBUG:main:label=bad_manifest_digest_length kind=bad desc=Bad manifest digest length DEBUG:main:label=bad_public_key kind=bad desc=Bad public key DEBUG:main:label=bad_roa_asID kind=bad desc=Bad ROA asID DEBUG:main:label=bad_serial_number kind=bad desc=Bad serialNumber DEBUG:main:label=certificate_bad_signature kind=bad desc=Bad certificate signature DEBUG:main:label=certificate_failed_validation kind=bad desc=Certificate failed validation DEBUG:main:label=cms_econtent_decode_error kind=bad desc=CMS eContent decode error DEBUG:main:label=cms_includes_crls kind=bad desc=CMS includes CRLs DEBUG:main:label=cms_signer_missing kind=bad desc=CMS signer missing DEBUG:main:label=cms_ski_mismatch kind=bad desc=CMS SKI mismatch DEBUG:main:label=cms_validation_failure kind=bad desc=CMS validation failure DEBUG:main:label=crl_not_in_manifest kind=bad desc=CRL not listed in manifest DEBUG:main:label=crl_not_yet_valid kind=bad desc=CRL not yet valid DEBUG:main:label=crl_number_extension_missing kind=bad desc=CRL number extension missing DEBUG:main:label=crl_number_out_of_range kind=bad desc=CRL number out of range DEBUG:main:label=crldp_doesnt_match_issuer_sia kind=bad desc=CRLDP doesn't match issuer's SIA DEBUG:main:label=crldp_uri_missing kind=bad desc=CRLDP URI missing DEBUG:main:label=disallowed_x509v3_extension kind=bad desc=Disallowed X.509v3 extension DEBUG:main:label=duplicate_name_in_manifest kind=bad desc=Duplicate name in manifest DEBUG:main:label=inappropriate_eku_extension kind=bad desc=Inappropriate EKU extension DEBUG:main:label=malformed_aia_extension kind=bad desc=Malformed AIA extension DEBUG:main:label=malformed_sia_extension kind=bad desc=Malformed SIA extension DEBUG:main:label=malformed_basic_constraints kind=bad desc=Malformed basicConstraints DEBUG:main:label=malformed_certificate_policy kind=bad desc=Malformed certificate policy DEBUG:main:label=malformed_trust_anchor kind=bad desc=Malformed trust anchor DEBUG:main:label=malformed_cadirectory_uri kind=bad desc=Malformed caDirectory URI DEBUG:main:label=malformed_crldp_extension kind=bad desc=Malformed CRDLP extension DEBUG:main:label=malformed_crldp_uri kind=bad desc=Malformed CRDLP URI DEBUG:main:label=malformed_roa_addressfamily kind=bad desc=Malformed ROA addressFamily DEBUG:main:label=malformed_tal_uri kind=bad desc=Malformed TAL URI DEBUG:main:label=manifest_carepository_mismatch kind=bad desc=Manifest caRepository mismatch DEBUG:main:label=manifest_lists_missing_object kind=bad desc=Manifest lists missing object DEBUG:main:label=manifest_not_yet_valid kind=bad desc=Manifest not yet valid DEBUG:main:label=missing_resources kind=bad desc=Missing resources DEBUG:main:label=negative_manifest_number kind=bad desc=Negative manifestNumber DEBUG:main:label=nonconformant_asn1_time_value kind=bad desc=Nonconformant ASN.1 time value DEBUG:main:label=nonconformant_public_key_algorithm kind=bad desc=Nonconformant public key algorithm DEBUG:main:label=nonconformant_signature_algorithm kind=bad desc=Nonconformant signature algorithm DEBUG:main:label=nonconformant_digest_algorithm kind=bad desc=Nonconformant digest algorithm DEBUG:main:label=nonconformant_certificate_uid kind=bad desc=Nonconformant certificate UID DEBUG:main:label=object_rejected kind=bad desc=Object rejected DEBUG:main:label=rfc3779_inheritance_required kind=bad desc=RFC 3779 inheritance required DEBUG:main:label=roa_contains_bad_afi_value kind=bad desc=ROA contains bad AFI value DEBUG:main:label=roa_resource_not_in_ee kind=bad desc=ROA resource not in EE DEBUG:main:label=roa_resources_malformed kind=bad desc=ROA resources malformed DEBUG:main:label=rsync_transfer_failed kind=bad desc=rsync transfer failed DEBUG:main:label=rsync_transfer_timed_out kind=bad desc=rsync transfer timed out DEBUG:main:label=sia_cadirectory_uri_missing kind=bad desc=SIA caDirectory URI missing DEBUG:main:label=sia_extension_missing kind=bad desc=SIA extension missing DEBUG:main:label=sia_manifest_uri_missing kind=bad desc=SIA manifest URI missing DEBUG:main:label=ski_extension_missing kind=bad desc=SKI extension missing DEBUG:main:label=ski_public_key_mismatch kind=bad desc=SKI public key mismatch DEBUG:main:label=trust_anchor_key_mismatch kind=bad desc=Trust anchor key mismatch DEBUG:main:label=trust_anchor_with_crldp kind=bad desc=Trust anchor can't have CRLDP DEBUG:main:label=unknown_openssl_verify_error kind=bad desc=Unknown OpenSSL verify error DEBUG:main:label=unreadable_trust_anchor kind=bad desc=Unreadable trust anchor DEBUG:main:label=unreadable_trust_anchor_locator kind=bad desc=Unreadable trust anchor locator DEBUG:main:label=wrong_object_version kind=bad desc=Wrong object version DEBUG:main:label=aia_doesnt_match_issuer kind=warn desc=AIA doesn't match issuer DEBUG:main:label=bad_cms_si_signed_attributes kind=warn desc=Bad CMS SI signed attributes DEBUG:main:label=bad_signed_object_uri kind=warn desc=Bad signedObject URI DEBUG:main:label=crldp_names_newer_crl kind=warn desc=CRLDP names newer CRL DEBUG:main:label=digest_mismatch kind=warn desc=Digest mismatch DEBUG:main:label=ee_certificate_with_1024_bit_key kind=warn desc=EE certificate with 1024 bit key DEBUG:main:label=issuer_uses_multiple_crldp_values kind=warn desc=Issuer uses multiple CRLDP values DEBUG:main:label=multiple_rsync_uris_in_extension kind=warn desc=Multiple rsync URIs in extension DEBUG:main:label=nonconformant_issuer_name kind=warn desc=Nonconformant X.509 issuer name DEBUG:main:label=nonconformant_subject_name kind=warn desc=Nonconformant X.509 subject name DEBUG:main:label=rsync_partial_transfer kind=warn desc=rsync partial transfer DEBUG:main:label=rsync_transfer_skipped kind=warn desc=rsync transfer skipped DEBUG:main:label=stale_crl_or_manifest kind=warn desc=Stale CRL or manifest DEBUG:main:label=tainted_by_stale_crl kind=warn desc=Tainted by stale CRL DEBUG:main:label=tainted_by_stale_manifest kind=warn desc=Tainted by stale manifest DEBUG:main:label=tainted_by_not_being_in_manifest kind=warn desc=Tainted by not being in manifest DEBUG:main:label=trust_anchor_not_self_signed kind=warn desc=Trust anchor not self-signed DEBUG:main:label=unknown_object_type_skipped kind=warn desc=Unknown object type skipped DEBUG:main:label=uri_too_long kind=warn desc=URI too long DEBUG:main:label=wrong_cms_si_signature_algorithm kind=warn desc=Wrong CMS SI signature algorithm DEBUG:main:label=wrong_cms_si_digest_algorithm kind=warn desc=Wrong CMS SI digest algorithm DEBUG:main:label=current_cert_recheck kind=good desc=Certificate rechecked DEBUG:main:label=non_rsync_uri_in_extension kind=good desc=Non-rsync URI in extension DEBUG:main:label=object_accepted kind=good desc=Object accepted DEBUG:main:label=rsync_transfer_succeeded kind=good desc=rsync transfer succeeded DEBUG:main:label=validation_ok kind=good desc=OK INFO:main:querying for published objects DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/iXd-QWeuN6oGlttoCyIcewT6O3A.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/by6IMrcxf6_D9SnCx832JA0iRKM.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/zyXYld2AYpZPn9Kv4XmBLTsOSWU.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/Zcm_vEvxqcusNgara3ouYYPSM-s.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/ys59rIpVwbmvq01GZ4OCh4_czCM.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/tJhFUeKJLDHJ8GpW52g_W46L3g4.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/HuFowujab9GxXEabmhe0b8Yjo5I.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/HL5roPPYquXDQax8HainQxpJB2g.cer DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/1/1_HAP3WujllCM99I6_hqE6GPOEI.gbr DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/bmknBk2Z3AySPFR31n5trGBew6A.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/BFA6mSh8r4DczEmSGsZl180kL24.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/4nMm-YfKb5qMcAJBx3qpGlKGYew.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/PUfXmhO1FHhMEKsnehYuovHYY9Q.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/FG58vbPtx4CoqDpx3Jd_gkE57nw.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/Qj3Oy9q6_yuvQVIQbWRWfrro3jE.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/uxXAxp7Znds3M0hE5axLiboEqWM.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/VGzs4aR26HfkZzWNCo1sPI2yrMs.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/uPOO80ICKqSdcdmC8YJaoOpnB6s.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/wGDrPe4MEPbJTWC8VfCxJvOnnt4.gbr DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/RKyFpmzfi0tP-UPYQkKMXU0XT1Y.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/_qVOLpbhc7dCp-NStHpRPuklYZI.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/NlHrtpbh8J8MXyDaOT4YThZSY3k.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/jVVbq1BXjzFked2xCLFZaESG2xA.roa DEBUG:main:adding rsync://rpki01.nic.ad.jp/repository/JPNIC02/NET-TECH/12/4SoEZroAJ1mYF3ul2GWPS6siLBI.roa INFO:main:clearing validation statuses INFO:main:updating validation status DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02.cer WARNING:main:unable to find signing cert with ski=9E:DF:CB:0A:F4:DB:B7:5A:11:24:E0:5C:EB:9B:54:4D:39:08:10:77 (/commonName=JPNIC TA 02) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/1_HAP3WujllCM99I6_hqE6GPOEI.gbr WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/HL5roPPYquXDQax8HainQxpJB2g.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/HuFowujab9GxXEabmhe0b8Yjo5I.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/Zcm_vEvxqcusNgara3ouYYPSM-s.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/VGzs4aR26HfkZzWNCo1sPI2yrMs.roa WARNING:main:unable to find signing cert with ski=65:C9:BF:BC:4B:F1:A9:CB:AC:36:06:AB:6B:7A:2E:61:83:D2:33:EB (/commonName=65C9BFBC4BF1A9CBAC3606AB6B7A2E6183D233EB) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/uPOO80ICKqSdcdmC8YJaoOpnB6s.roa WARNING:main:unable to find signing cert with ski=65:C9:BF:BC:4B:F1:A9:CB:AC:36:06:AB:6B:7A:2E:61:83:D2:33:EB (/commonName=65C9BFBC4BF1A9CBAC3606AB6B7A2E6183D233EB) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/uxXAxp7Znds3M0hE5axLiboEqWM.roa WARNING:main:unable to find signing cert with ski=65:C9:BF:BC:4B:F1:A9:CB:AC:36:06:AB:6B:7A:2E:61:83:D2:33:EB (/commonName=65C9BFBC4BF1A9CBAC3606AB6B7A2E6183D233EB) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/IZUMI/10/wGDrPe4MEPbJTWC8VfCxJvOnnt4.gbr WARNING:main:unable to find signing cert with ski=65:C9:BF:BC:4B:F1:A9:CB:AC:36:06:AB:6B:7A:2E:61:83:D2:33:EB (/commonName=65C9BFBC4BF1A9CBAC3606AB6B7A2E6183D233EB) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/by6IMrcxf6_D9SnCx832JA0iRKM.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/iXd-QWeuN6oGlttoCyIcewT6O3A.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/NlHrtpbh8J8MXyDaOT4YThZSY3k.roa WARNING:main:unable to find signing cert with ski=89:77:7E:41:67:AE:37:AA:06:96:DB:68:0B:22:1C:7B:04:FA:3B:70 (/commonName=89777E4167AE37AA0696DB680B221C7B04FA3B70) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/RKyFpmzfi0tP-UPYQkKMXU0XT1Y.roa WARNING:main:unable to find signing cert with ski=89:77:7E:41:67:AE:37:AA:06:96:DB:68:0B:22:1C:7B:04:FA:3B:70 (/commonName=89777E4167AE37AA0696DB680B221C7B04FA3B70) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/_qVOLpbhc7dCp-NStHpRPuklYZI.roa WARNING:main:unable to find signing cert with ski=89:77:7E:41:67:AE:37:AA:06:96:DB:68:0B:22:1C:7B:04:FA:3B:70 (/commonName=89777E4167AE37AA0696DB680B221C7B04FA3B70) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/DTI/7/jVVbq1BXjzFked2xCLFZaESG2xA.roa WARNING:main:unable to find signing cert with ski=89:77:7E:41:67:AE:37:AA:06:96:DB:68:0B:22:1C:7B:04:FA:3B:70 (/commonName=89777E4167AE37AA0696DB680B221C7B04FA3B70) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/tJhFUeKJLDHJ8GpW52g_W46L3g4.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/ys59rIpVwbmvq01GZ4OCh4_czCM.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/NET-TECH/12/4SoEZroAJ1mYF3ul2GWPS6siLBI.roa WARNING:main:unable to find signing cert with ski=CA:CE:7D:AC:8A:55:C1:B9:AF:AB:4D:46:67:83:82:87:8F:DC:CC:23 (/commonName=CACE7DAC8A55C1B9AFAB4D46678382878FDCCC23) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/1/zyXYld2AYpZPn9Kv4XmBLTsOSWU.cer WARNING:main:unable to find signing cert with ski=30:41:0B:2D:60:28:D6:CB:23:B4:AB:F8:86:DF:D0:33:12:37:A2:0F (/commonName=30410B2D6028D6CB23B4ABF886DFD0331237A20F) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/4nMm-YfKb5qMcAJBx3qpGlKGYew.roa WARNING:main:unable to find signing cert with ski=CF:25:D8:95:DD:80:62:96:4F:9F:D2:AF:E1:79:81:2D:3B:0E:49:65 (/commonName=CF25D895DD8062964F9FD2AFE179812D3B0E4965) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/BFA6mSh8r4DczEmSGsZl180kL24.roa WARNING:main:unable to find signing cert with ski=CF:25:D8:95:DD:80:62:96:4F:9F:D2:AF:E1:79:81:2D:3B:0E:49:65 (/commonName=CF25D895DD8062964F9FD2AFE179812D3B0E4965) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/FG58vbPtx4CoqDpx3Jd_gkE57nw.roa WARNING:main:unable to find signing cert with ski=CF:25:D8:95:DD:80:62:96:4F:9F:D2:AF:E1:79:81:2D:3B:0E:49:65 (/commonName=CF25D895DD8062964F9FD2AFE179812D3B0E4965) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/PUfXmhO1FHhMEKsnehYuovHYY9Q.roa WARNING:main:unable to find signing cert with ski=CF:25:D8:95:DD:80:62:96:4F:9F:D2:AF:E1:79:81:2D:3B:0E:49:65 (/commonName=CF25D895DD8062964F9FD2AFE179812D3B0E4965) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/Qj3Oy9q6_yuvQVIQbWRWfrro3jE.roa WARNING:main:unable to find signing cert with ski=CF:25:D8:95:DD:80:62:96:4F:9F:D2:AF:E1:79:81:2D:3B:0E:49:65 (/commonName=CF25D895DD8062964F9FD2AFE179812D3B0E4965) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02/BIGLOBE/9/bmknBk2Z3AySPFR31n5trGBew6A.roa WARNING:main:unable to find signing cert with ski=CF:25:D8:95:DD:80:62:96:4F:9F:D2:AF:E1:79:81:2D:3B:0E:49:65 (/commonName=CF25D895DD8062964F9FD2AFE179812D3B0E4965) DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC01.cer WARNING:main:unable to find signing cert with ski=9E:DF:CB:0A:F4:DB:B7:5A:11:24:E0:5C:EB:9B:54:4D:39:08:10:77 (/commonName=JPNIC TA 02) INFO:main:performing garbage collection INFO:main:sending notifications for invalid objects INFO:main:elapsed time 2 seconds. #
Trac comment by taiji-k on 2013-01-31T08:34:28Z
sraustein
commented
11 years ago It looks like perhaps rcynic did not output a line for the "JPCNIC TA 02", because the script is reporting it can't find the issuer for JPNIC02.cer.
{{{ DEBUG:main:processing /var/rcynic/data/authenticated/rpki01.nic.ad.jp/repository/JPNIC02.cer WARNING:main:unable to find signing cert with ski=9E:DF:CB:0A:F4:DB:B7:5A:11:24:E0:5C:EB:9B:54:4D:39:08:10:77 (/commonName=JPNIC TA 02) }}}
Would it be possible for you to gzip your rcynic.xml and attach it to this bug report? rcynic obviously thinks that certificate is valid, since it is located in the authenticated subdirectory.
Trac comment by melkins on 2013-01-31T23:35:47Z
sraustein
commented
11 years ago rcynic.xml.gz Trac attachment by taiji-k on 2013-02-11T17:07:39Z
sraustein
commented
11 years ago Oops, again.
In repository, do all cert need to be PEM format?
In rcynic.xml:
Trac comment by taiji-k on 2013-02-01T02:42:41Z
sraustein
commented
11 years ago On Fri, Feb 01, 2013 at 02:42:41AM -0000, Trac Ticket System wrote:
404: Validation Status: unknown in routes page
----------------------+---------------------- Reporter: taiji-k | Owner: melkins Type: defect | Status: accepted Priority: minor | Component: gui Resolution: | Keywords: Blocked By: | Blocking: ----------------------+----------------------
Comment (by taiji-k):
Oops, again.
In repository, do all cert need to be PEM format?
In rcynic.xml:
<validation_status timestamp="2013-02-01T02:29:26Z" status="unknown_object_type_skipped">rsync://rpki01.nic.ad.jp/repository/jp nic-ta-02_cert.der <validation_status timestamp="2013-02-01T02:29:26Z" status="rsync_transfer_succeeded">rsync://rpki01.nic.ad.jp/repository/jpnic -ta-02_cert.der <validation_status timestamp="2013-02-01T02:29:26Z" status="tainted_by_not_being_in_manifest" generation="current">rsync://rpki 01.nic.ad.jp/repository/jpnic-ta-02_cert.der <validation_status timestamp="2013-02-01T02:29:26Z" status="object_accepted" generation="current">rsync://rpki01.nic.ad.jp/repo sitory/jpnic-ta-02_cert.der
The certificates should be in DER format, and they are requried to have a .cer suffix.
I don't quite understand what rcynic is saying here, though. At first it says it is skipping the unknown object, but then later it says object_accepted.
I think the problem is that the python script that processes the rcynic.xml doesn't understand the .der suffix and ignores it..
Trac comment by melkins on 2013-02-01T03:31:49Z
sraustein
commented
11 years ago On Fri, Feb 01, 2013 at 03:31:51AM -0000, Trac Ticket System wrote:
I think the problem is that the python script that processes the rcynic.xml doesn't understand the .der suffix and ignores it..
yes, this is the problem. in rpki.rcynic.file_name_classes it requires a .cer suffix. but rcynic must determine what type it is an accepts it. it seems like there should be a warning, unless the TA really doesn't require the .cer suffix.
Trac comment by melkins on 2013-02-01T03:35:13Z
sraustein
commented
11 years ago <validation_status timestamp="2013-02-01T02:29:26Z" status="tainted_by_not_being_in_manifest" generation="current">rsync://rpki 01.nic.ad.jp/repository/jpnic-ta-02_cert.der
Also, it looks like you are publishing the TA cert in the same place as the SIA, which is why there is a warning about the object not being in the manifest. I think what you want to do is publish that object elsewhere, such as rsync://rpki01.nic.ad.jp/root/jpnic-ta-02_cert.cer
Trac comment by melkins on 2013-02-01T03:44:59Z
sraustein
commented
11 years ago After making tal and doing "sh /etc/cron.daily/rcynic", the status has been changed into "valid".
rsync://rpki01.nic.ad.jp/repository/jpnic-ta-02_cert.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEdswbLGIGoJEwi+GMxg 6gSbTrjmoTtjcfMIbhqz4ZBGchsnF06lZnlDlOnZ+HgBQOha/oqF5H0H36kW8SaE GtmGax7XfTetdN01AiXFHdt/RqtNb3L8YJ9RCfzInGiUV2C9M28PKsuI8yCf8xEy NMIL7Z1FMhbSnc1hxLJaPwzhm2VAzsyh7aE9ZbxFMf2yFy4a2z6Zrf5rfbD0rIjl 6TyeTIxz6d2rmUDZpBU+iNaFIqmAIXTGEIthI/WkakliJfusHlV6TrZ+hgHe85Xh SEfYbyIdP2Lw4q1TIQrpfKKcpX/bhcTJPrNVh7JYLH9Ce7PoJDvBHTvilMvtHnnd
sraustein
commented
11 years ago It looks working but about the manifest do I need to re-issue manifest?
No, because the TA cert is not part of the manifest. That is why I said that it really should be published outside of the SIA, because it is not logically part of it.
The reason I put it as DER format, was for rpki01:
/var/log/syslog:
Jan 11 21:56:26 rpki01 rootd[13846]: self.POW =rpki.POW.Asymmetric.derRead Private(self.get_DER())
I'm not sure what that message means, but DER is the encoding, not the type of the object, and in RPKI the filename suffix is based on the object type. In this case the certificate (.cer file) is encoded in the binary DER form (as opposed to the PEM form).
Trac comment by melkins on 2013-02-01T04:38:12Z
sraustein
commented
11 years ago I believe this issue has been resolved after the .cer file was renamed to .der.
Please feel free to reopen this ticket if it is not resolved.
Trac comment by melkins on 2013-02-11T17:07:39Z
sraustein
commented
11 years ago Closed with resolution invalid
One LIR issued their ROA on rpki01.nic.ad.jp, but the validation status in "routes" page is "unknown". (the page is saved an attached)
print_roa /var/rcynic/data/authenticated/rpki01.nic.ad.jp//repository//JPNIC02/NET-TECH/12/4SoEZroAJ1mYF3ul2GWPS6siLBI.roa
Certificates: 1 CRLs: 0 SignerId[0]: e1:2a:04:66:ba:00:27:59:98:17:7b:a5:d8:65:8f:4b:ab:22:2c:12 [Matches certificate 0] [signingTime(U) 130128055431Z] eContentType: 1.2.840.113549.1.9.16.1.24 version: 0 [Defaulted] asID: 9363 addressFamily: 1 IPaddress: 210.251.160.0/20
Do you have any idea why validation status is unknown?
Trac ticket #404 component gui priority minor, owner melkins, created by taiji-k on 2013-01-29T02:54:20Z, last modified 2013-02-11T17:07:39Z