Closed sraustein closed 8 years ago
this user from the br nic seems to have been trapped by doc complexity into doing things such as rebuilding openssl.
You may be reading things into his message that he did not put there.
He is correct that the documented way of constructing an RPKI root certificate requires an RFC-3779-enabled version of the OpenSSL command line tool, which we do not install, nor, given the horrors of shared libraries, are we ever likely to do so. So he did what he had to do to construct a root certificate.
The configuration snippet you sent him does not do what you think it does, in fact it does not do anything anymore, it's a historical artifact in your rpkid.conf that's not present in current versions.
We might want to consider adding some dumb little Python tool which constructs a root certificate using the rpki.POW module, since that, unlike an RFC-3779-enabled version of OpenSSL command line tool, is something we can rely on being available.
and then he hit a lack of simple docco for rootd. i fear many folk will be doing root installs.
There is no simple documentation for rootd because rootd is not simple. Or, rather, rootd is too stoopid to be simple.
Note, however, that it looks like he got past all the rootd stuff on his own, he just hasn't figured out the GUI. Which doc was it that you said was the problem here? :)
As far as rootd's awfulness and the likelyhood of users needing to deal with it goes: We could declare that merging rootd's functionality into rpkid has now risen to the top of the priority list. Not a trivial piece of work, but as it would require SQL changes it would be an opportunity to work on several other things as well.
Trac comment by sra on 2013-08-17T20:38:02Z
[ adding pablo to ticket ]
He is correct that the documented way of constructing an RPKI root certificate requires an RFC-3779-enabled version of the OpenSSL command line tool, which we do not install, nor, given the horrors of shared libraries, are we ever likely to do so. So he did what he had to do to construct a root certificate.
procedures.txt Installation steps Trac attachment by pablo on 2016-08-05T15:43:27Z
Hello,
I attached a file with the installation procedures that I followed
Trac comment by pablo on 2013-08-20T21:01:25Z
I suspect that part of the problem may be the format of the RSA private key file root.key
. See ticket #603 for details.
If this theory is correct, the following conversion commands may help: {{{
if openssl rsa -in root.key -out root.key.new then echo success mv root.key.new root.key else echo failure rm root.key.new fi }}}
Trac comment by sra on 2013-08-23T02:58:17Z
pablo, please report if this helps or not -- randy
Trac comment by randy on 2013-08-23T03:02:14Z
Randy and Rob,
Yessss, It worked quite well !!!
Now I can see the resources and the entire infrastructure is running.
I did a test creating the following ROA "A64512,10.0.8.0/24,24" Then I made a TAL file, which succesfully worked with rpki-validator and rcynic
The only warning I received was from the rpki validator saying: WARNING: root.mft Manifest validity differs from EE certificate validity WARNING: Uukm_I6aWcHX8ean57oBA6x0isI.mft Manifest validity differs from EE certificate validity
But it didn't caused any trouble.
I'm very grateful for your help in solving this problem.
Congratulations, Pablo
See some tests I did:
rtr-origin --client tcp localhost 43779 2013-08-23 07:58:26 rtr-origin/client[27039]: [Startup] 2013-08-23 07:58:26 rtr-origin/client[27039]: [Starting raw TCP connection to localhost:43779] 2013-08-23 07:58:26 rtr-origin/client[27039]: [Trying addr 127.0.0.1 port 43779] 2013-08-23 07:58:26 rtr-origin/client[27039]: [reset_query] 2013-08-23 07:58:26 rtr-origin/client[27039]: [cache_response, nonce 64050] 2013-08-23 07:58:26 rtr-origin/client[27039]: + 64512 10.0.8.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:0A:00:08:00:00:00:FC:00 2013-08-23 07:58:26 rtr-origin/client[27039]: [end_of_data, serial #1377243588 nonce 64050]
rtr-origin --client tcp localhost 8282 2013-08-23 08:11:40 rtr-origin/client[27667]: [Startup] 2013-08-23 08:11:40 rtr-origin/client[27667]: [Starting raw TCP connection to localhost:8282] 2013-08-23 08:11:40 rtr-origin/client[27667]: [Trying addr 127.0.0.1 port 8282] 2013-08-23 08:11:40 rtr-origin/client[27667]: [reset_query] 2013-08-23 08:11:40 rtr-origin/client[27667]: [cache_response, nonce 20416] 2013-08-23 08:11:40 rtr-origin/client[27667]: + 64512 10.0.8.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:0A:00:08:00:00:00:FC:00 2013-08-23 08:11:40 rtr-origin/client[27667]: [end_of_data, serial #12 nonce 20416]
rtrclient tcp localhost 43779 Prefix Prefix Length ASN
rtrclient tcp localhost 8282 Prefix Prefix Length ASN
lynx --dump http://127.0.0.1:8080/export.csv ASN,IP Prefix,Max Length AS64512,10.0.8.0/24,24
lynx --dump http://127.0.0.1:8080/api/v1/validity/AS64512/10.0.8.0/24 { "validated_route":{ "route":{ "origin_asn":"AS64512", "prefix":"10.0.8.0/24" }, "validity":{ "state":"Valid", "description":"At least one VRP Matches the Route Prefix", "VRPs":{ "matched":[{ "asn":"AS64512", "prefix":"10.0.8.0/24", "max_length":24 }], "unmatched_as":[], "unmatched_length":[] } } } }
Trac comment by pablo on 2013-08-23T11:41:56Z
Issue resolved years ago, ticket never closed.
Trac comment by sra on 2016-08-05T15:43:27Z
Closed with resolution fixed
this user from the br nic seems to have been trapped by doc complexity into doing things such as rebuilding openssl. and then he hit a lack of simple docco for rootd. i fear many folk will be doing root installs.
From: Pablo Martins Figueiredo da Costa pablo@nic.br Subject: [rpki] Help on configuring my RPKI Certificate Authority To: rpki@rpki.net Date: Fri, 16 Aug 2013 21:09:13 -0300 (BRT)
Hello,
I trying to configure a Testbed environment for RPKI, but I got stuck on the configuration of rpki-ca.
I already played with cisco ASR1001 (XE3.9S), GNS3 ( IOS 15.2S3), quagga-rtrlib, rcynic and RIPE-NCC Validator and I'm confident with this part of the rpki infrastructure.
My goal is to create my own CA and be able to create certificates and ROAs for private ASes (RFC6996) and IP addresses (RFC1918), and use they in lab.
I got a little bit confused, because I installed rpka-ca using ubuntu binary packages and the most part of configuration steps described in docs were already done after "apt-get install"
I had to compile openssl with rfc3779, then I rebuilt the ubuntu package for openssl with enable-rfc3779.
I'm able to access the web gui, but can't figure out how to create the ROAs as I would like.
I read the following documentation: https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/CreatingRoot https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/rootd
I really appreciate any help you can provide.
Thanks, Pablo From: Pablo Martins Figueiredo da Costa pablo@nic.br Subject: [rpki] Help on configuring my RPKI Certificate Authority To: rpki@rpki.net Date: Fri, 16 Aug 2013 21:09:13 -0300 (BRT)
Hello,
I trying to configure a Testbed environment for RPKI, but I got stuck on the configuration of rpki-ca.
I already played with cisco ASR1001 (XE3.9S), GNS3 ( IOS 15.2S3), quagga-rtrlib, rcynic and RIPE-NCC Validator and I'm confident with this part of the rpki infrastructure.
My goal is to create my own CA and be able to create certificates and ROAs for private ASes (RFC6996) and IP addresses (RFC1918), and use they in lab.
I got a little bit confused, because I installed rpka-ca using ubuntu binary packages and the most part of configuration steps described in docs were already done after "apt-get install"
I had to compile openssl with rfc3779, then I rebuilt the ubuntu package for openssl with enable-rfc3779.
I'm able to access the web gui, but can't figure out how to create the ROAs as I would like.
I read the following documentation: https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/CreatingRoot https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/rootd
I really appreciate any help you can provide.
Thanks, Pablo
Trac ticket #599 component doc priority major, owner sra, created by randy on 2013-08-17T01:18:09Z, last modified 2016-08-05T15:43:27Z