sraustein commented 11 years ago

jillions of these

Sep 10 03:05:57 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)')",) to caller: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') Sep 10 03:05:57 ca0 rpkid[9105]: Couldn't publish for esnet, skipping: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') Sep 10 03:07:57 ca0 rpkid[9105]: Couldn't get resource class list from parent <rpki.left_right.parent_elt {altCA} altCA>, skipping: ('Trusted CMS certificate has expired', '/commonName=altCA BPKI rootd EE (B9:CE:8F:68:EE:6D:63:CE:9A:F8:2F:AA:42:23:06:9E:C1:08:04:08)') (TrustedCMSCertHasExpired('Trusted CMS certificate has expired', '/commonName=altCA BPKI rootd EE (B9:CE:8F:68:EE:6D:63:CE:9A:F8:2F:AA:42:23:06:9E:C1:08:04:08)')) Sep 10 03:07:57 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4402 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=altCA BPKI resource CA (8E:F6:AE:BE:6B:CC:DF:FE:B1:96:2C:13:C5:87:72:43:0C:EC:11:9C)') Sep 10 03:07:57 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:57 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=altCA BPKI resource CA (8E:F6:AE:BE:6B:CC:DF:FE:B1:96:2C:13:C5:87:72:43:0C:EC:11:9C)')",) to caller: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=altCA BPKI resource CA (8E:F6:AE:BE:6B:CC:DF:FE:B1:96:2C:13:C5:87:72:43:0C:EC:11:9C)') Sep 10 03:07:57 ca0 rpkid[9105]: Couldn't publish Ghostbuster updates for altCA, skipping: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=altCA BPKI resource CA (8E:F6:AE:BE:6B:CC:DF:FE:B1:96:2C:13:C5:87:72:43:0C:EC:11:9C)') Sep 10 03:07:57 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4404 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)') Sep 10 03:07:57 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:57 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)')",) to caller: HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)') Sep 10 03:07:57 ca0 rpkid[9105]: Couldn't get resource class list from parent <rpki.left_right.parent_elt {rgnet} altCA>, skipping: HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)') (HTTPRequestFailed("HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)')",)) Sep 10 03:07:57 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4402 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)') Sep 10 03:07:57 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:57 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)')",) to caller: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)') Sep 10 03:07:57 ca0 rpkid[9105]: Couldn't publish Ghostbuster updates for rgnet, skipping: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=rgnet BPKI resource CA (A5:23:25:56:1C:07:D6:33:6E:1D:5E:09:5F:AD:29:19:E4:D2:51:8B)') Sep 10 03:07:57 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4404 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)') Sep 10 03:07:57 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:57 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)')",) to caller: HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)') Sep 10 03:07:57 ca0 rpkid[9105]: Couldn't get resource class list from parent <rpki.left_right.parent_elt {IETF} altCA>, skipping: HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)') (HTTPRequestFailed("HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)')",)) Sep 10 03:07:58 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4402 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)') Sep 10 03:07:58 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:58 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)')",) to caller: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)') Sep 10 03:07:58 ca0 rpkid[9105]: Couldn't publish for IETF, skipping: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=IETF BPKI resource CA (7D:F8:E7:64:F2:C9:21:11:62:7E:9B:7A:F2:3A:B2:3E:27:AD:F0:99)') Sep 10 03:07:58 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4404 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') Sep 10 03:07:58 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:58 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)')",) to caller: HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') Sep 10 03:07:58 ca0 rpkid[9105]: Couldn't get resource class list from parent <rpki.left_right.parent_elt {esnet} altCA>, skipping: HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') (HTTPRequestFailed("HTTP request failed with status 400, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)')",)) Sep 10 03:07:58 ca0 rpkid[9105]: : Error on HTTP client connection ca0.rpki.net:4402 <class 'rpki.exceptions.HTTPRequestFailed'> HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') Sep 10 03:07:58 ca0 rpkid[9105]: : Closing due to error Sep 10 03:07:58 ca0 rpkid[9105]: : Returning exception HTTPRequestFailed("HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)')",) to caller: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)') Sep 10 03:07:58 ca0 rpkid[9105]: Couldn't publish for esnet, skipping: HTTP request failed with status 500, reason Could not process PDU: ('Trusted CMS certificate has expired', '/commonName=esnet BPKI resource CA (3C:BD:11:51:F0:62:9B:D2:5A:95:24:13:F6:7F:AD:4B:44:F7:20:A1)')

Trac ticket #611 component rpkid priority critical, owner sra, created by randy on 2013-09-10T03:11:24Z, last modified 2013-09-11T02:35:39Z

sraustein commented 11 years ago

Looks like none of the BPKI certificates in ca0's pubd have been updated since July. Don't know why (yet).

{{{ ca0.rpki.net:/root# irbe_cli client --action list | awk '// {cmd = "openssl enc -d -a | openssl x509 -noout -issuer -subject -dates -inform DER"; next} /<\/bpki_cert>/ {close(cmd); cmd = ""; print ""; next} cmd {print | cmd}'

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=altCA BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=rgnet BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=IETF BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=workshop BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser00 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser01 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser02 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser03 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser04 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser05 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser06 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser07 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser08 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser09 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser10 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser11 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser12 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser13 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser14 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser15 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser16 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser17 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser18 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser19 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser20 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser21 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser22 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser23 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser24 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser25 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser26 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser27 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser28 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser29 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser30 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser31 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=labuser32 BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=esnet BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT

issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=gatech BPKI resource CA notBefore=Jul 3 13:20:01 2013 GMT notAfter=Sep 1 13:20:01 2013 GMT }}}

Trac comment by sra on 2013-09-10T03:40:46Z

sraustein commented 11 years ago

Running rpkic update_bpki did not fix this; rpkic synchronize does appear to have fixed it. Test in both cases was running above horrible irbe_cli | awk pipeline: update_bpki produced no change in output of pipeline, synchronize whacked everything to:

{{{ issuer= /CN=ca0.rpki.net BPKI server CA subject= /CN=altCA BPKI resource CA notBefore=Sep 10 03:41:46 2013 GMT notAfter=Nov 9 03:41:46 2013 GMT }}}

(etc).

Conclusion is obvious: update_bpki is not pushing changes to pubd, synchronize is. Not sure why (more precisely: code will likely be obvious, but was there a reason why update_bpki wasn't doing this?).

Will look into this further in the morning.

Trac comment by sra on 2013-09-10T03:47:35Z

sraustein commented 11 years ago

wll, it stopped screaming at me. thanks.

Trac comment by randy on 2013-09-10T03:52:35Z

sraustein commented 11 years ago

So, the basic problem here is that Zookeeper.update_bpki() is updating every BPKI certificate object we have, but Zookeeper.synchronize_bpki() is only pushing out a select subset of those. Not clear that this ever really made sense.

Separation between .update_bpki() and .synchronize_bpki() does still make sense to me (the latter can throw an exception if daemons aren't running, and there are situations in which one might want to update the database even though one can't update the daemons at the moment).

Why we're reimplementing a subset of the .synchronize() logic in .synchronize_bpki() is a bit iffier. At one point the theory was that .synchronize() would go away eventually. I can also sort of see an argument that rpkic update_bpki should not be creating or destroying entities, only updating BPKI data of existing entities, so we wouldn't want the full synchronize logic here.

It also looks like rpkic update_bpki has some functional overlap with rpkic renew_all_children, which may not have been intended.

This part of the UI architecture has been through so many user-request-driven revisions over the years that any resemblance to a coherent design has long since been lost in the mists.

In any case: need to sort out which things .update_bpki() is supposed to be touching, and make sure that .synchronize_bpki() pushes exactly that set out to daemons.

Oh, and .synchronize_bpki() should check .run_rpkid rather than just assuming that every installation runs rpkid, as we already have an example of somebody running a pubd-only configuration on one of his lab machines.

Trac comment by sra on 2013-09-10T20:50:00Z

sraustein commented 11 years ago

So there are two basic approaches I could take to fixing this:

Add an update_only mode to the existing .synchronize_*_core() methods;
Add code to synchronize just (all of) the BPKI stuff to .synchronize_bpki().

I started coding the first approach, on the theory that consolidating the number of places that muck with this into a smaller set of methods would be good, but it turns out that so much of the existing code has to go under if not update_only conditionals that the result would be pretty much unreadable, and would still contain two separate code paths.

So I'm currently planning to scrap the current patch (well, I may save a copy somewhere) and code the second approach, as it'll likely end up being smaller and cleaner.

Trac comment by sra on 2013-09-11T00:58:23Z

sraustein commented 11 years ago

In [changeset:5492]: {{{

!CommitTicketReference repository="" revision="5492"

Zookeeper.synchronize_bpki() was only synchronizing a subset of the BPKI material that Zookeeper.update_bpki() was updating. Fixes #611. }}}

Trac comment by sra on 2013-09-11T02:35:39Z

sraustein commented 11 years ago

Closed with resolution fixed

dragonresearch / rpki.net

Trusted CMS certificate has expired #624

!CommitTicketReference repository="" revision="5492"