Closed sraustein closed 8 years ago
sraustein
commented
8 years ago RIPE can only read and write the old format, not the current format in the WG I-D. They didn't translate their response to the new format for you, so you have to do that yourself by running it through oob-translate.xsl (yes, the same xsl translates in both directions).
{{{ xsltproc -o output.xml oob-translate.xsl input.xml }}}
Trac comment by sra on 2016-03-22T18:07:30Z
sraustein
commented
8 years ago so it's translate xml in and out. so how is up-down gonna work?
Trac comment by randy on 2016-03-22T21:22:15Z
sraustein
commented
8 years ago so it's translate xml in and out.
Translate OOB protocol XML in and out.
so how is up-down gonna work?
Different protocol. RIPE implements that one, or so they say.
Trac comment by sra on 2016-03-22T21:32:34Z
sraustein
commented
8 years ago the gui would import the converted ripe identity, but i could not see how to get it to divulge a publication request. so i tried rpkic
{{{
ca.rg.net:/root# rpkic configure_parent new-ripe-identity.xml
Traceback (most recent call last):
File "/usr/sbin/rpkic", line 38, in
{{{ ca.rg.net:/root# cat new-ripe-identity.xml
sraustein
commented
8 years ago IOError: Error reading file 'new-ripe-identity.xml': failed to load
XML parses correctly, at least at the syntactic level, which is the most this particular backtrace is likely to care about.
Might be long tail of earlier setuid problem, it's probably user
rpki that's trying to read the file.
Permission and ownership of new-ripe-identity.xml?
Trac comment by sra on 2016-03-22T22:20:25Z
sraustein
commented
8 years ago -rw-r--r-- 1 root root 1486 Mar 22 21:16 new-ripe-identity.xml
Trac comment by randy on 2016-03-22T22:36:06Z
sraustein
commented
8 years ago -rw-r--r-- 1 root root 1486 Mar 22 21:16 new-ripe-identity.xml
And the directory this is in?
Trac comment by sra on 2016-03-22T23:59:59Z
sraustein
commented
8 years ago -rw-r--r-- 1 root root 1486 Mar 22 21:16 new-ripe-identity.xml And the directory this is in?
sorry
{{{ ca.rg.net:/root# ls -la total 96 drwx------ 6 root root 4096 Mar 22 22:35 ./ drwxr-xr-x 21 root root 4096 Mar 17 02:50 ../ -rw-r--r-- 1 root root 1187 Mar 22 12:46 back-converted.xml -rw-r--r-- 1 root root 1486 Mar 22 21:16 new-ripe-identity.xml -rw-r--r-- 1 root root 1187 Mar 22 12:41 new.xml -rw-r--r-- 1 root root 2806 Mar 10 22:27 oob-translate.xsl -rw-r--r-- 1 root root 1204 Mar 22 12:44 RGnetCA.identity.xml -rw-r--r-- 1 501 staff 2538 Mar 22 13:02 ripe-identity.xml }}}
Trac comment by randy on 2016-03-23T00:02:45Z
sraustein
commented
8 years ago {{{ drwx------ 6 root root 4096 Mar 22 22:35 ./ -rw-r--r-- 1 root root 1486 Mar 22 21:16 new-ripe-identity.xml }}}
So user rpki can't read it, consistent with theory.
Try rpkic again after copying the file to someplace like /tmp and
making sure the permissions would allow user rpki to read it.
If that fixes it, this is just a minor refactoring problem.
But of course we think the GUI probably got this far, without file permission issues, and you don't know what happened after that.
You might want to check /var/log/rpki/* to see if there's anything
relevant (with plausible timestamps -- you were having enough issues
earlier that you probably have all sorts of awful stuff in the logs
from problems already addressed).
Chow time in this timezone, later.
Trac comment by sra on 2016-03-23T00:11:16Z
sraustein
commented
8 years ago ca.rg.net:/root/foo# l -a total 12 drwxr-xr-x 2 rpki rpki 4096 Mar 23 03:10 ./ drwx------ 7 root root 4096 Mar 23 03:10 ../ -rw-r--r-- 1 rpki rpki 1486 Mar 22 21:16 new-ripe-identity.xml ca.rg.net:/root/foo# rpkic configure_parent new-ripe-identity.xml Parent calls itself 'e17841a7-8582-4832-ab81-8644b3d41dba', we call it 'e17841a7-8582-4832-ab81-8644b3d41dba' Parent calls us 'bd47d2a6-dc6d-49ea-b0e6-0b163396c76f' Wrote /root/foo/RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This is the file to send to the repository operator
Trac comment by randy on 2016-03-23T03:13:05Z
sraustein
commented
8 years ago but, further down the road
{{{ ca.rg.net:/root/foo# rpkic configure_parent new-ripe-identity.xml Parent calls itself 'e17841a7-8582-4832-ab81-8644b3d41dba', we call it 'e17841a7-8582-4832-ab81-8644b3d41dba' Parent calls us 'bd47d2a6-dc6d-49ea-b0e6-0b163396c76f' Wrote /root/foo/RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This is the file to send to the repository operator
ca.rg.net:/root/foo# rpkic configure_publication_client RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This might be an offer, checking We don't host this client's parent, so we didn't make an offer Don't know where else to nest this client, so defaulting to top-level Client calls itself 'RGnetCA', we call it 'RGnetCA' Wrote /root/foo/RGnetCA.repository-response.xml Send this file back to the publication client you just configured
ca.rg.net:/root/foo# l total 12 -rw-r--r-- 1 rpki rpki 1486 Mar 22 21:16 new-ripe-identity.xml -rw-r--r-- 1 rpki rpki 1201 Mar 23 03:12 RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml -rw-r--r-- 1 rpki rpki 1359 Mar 23 03:14 RGnetCA.repository-response.xml
ca.rg.net:/root/foo# rpkic configure_repository RGnetCA.repository-response.xml
Repository calls us 'RGnetCA'
No explicit parent_handle given and unable to guess
Traceback (most recent call last):
File "/usr/sbin/rpkic", line 38, in
Trac comment by randy on 2016-03-23T03:18:31Z
sraustein
commented
8 years ago {{{ ca.rg.net:/root/foo# rpkic configure_repository RGnetCA.repository-response.xml Repository calls us 'RGnetCA' No explicit parent_handle given and unable to guess rpki.irdb.zookeeper.CouldntFindRepoParent }}}
Sigh. Known issue I haven't sorted yet, sorry for not warning you.
The underlying problem here is that the repository response doesn't really include enough information for Zookeeper (the common library that implements all the OOB protocol for both rpkic and the GUI) to know which parent's response this is (hence the exception name).
The old OOB protocol kludged its way out of this mess by passing the parent handle to the repository just so that the repository could echo it back to the client. The revised protocol doesn't do that, because several reviewers pointed out that this was idiotic.
The current workaround is for you to tell rpkic explicitly:
{{{ ca.rg.net:/root/foo# rpkic configure_repository --parent_handle RGnetCA RGnetCA.repository-response.xml }}}
This option has always existed, but it used to be an override that wasn't usually required, due to the aforementioned kludge.
Not sure what the right fix is. Guessing based on the filename isn't it, and while in this case the repository's name for the client happens to be the same as the name of the parent, that doesn't hold in the general case. Feh.
Probably need to review this code in any case, the OOB implementation has always been a little strange (old or new).
Trac comment by sra on 2016-03-23T03:56:27Z
sraustein
commented
8 years ago {{{
ca.rg.net:/root/foo# rpkic configure_repository --parent_handle RGnetCA RGnetCA.repository-response.xml
Repository calls us 'RGnetCA'
Explicit parent_handle given
Could not find parent 'RGnetCA' in our database
Traceback (most recent call last):
File "/usr/sbin/rpkic", line 38, in
Trac comment by randy on 2016-03-23T04:01:25Z
sraustein
commented
8 years ago Hmm, you seem to have one tenant (what used to be called a RGnetCA, which has //two// parents:
e17841a7-8582-4832-ab81-8644b3d41dbaripeFrom one of the earlier messages you logged:
{{{ ca.rg.net:/root/foo# rpkic configure_parent new-ripe-identity.xml Parent calls itself 'e17841a7-8582-4832-ab81-8644b3d41dba', we call it 'e17841a7-8582-4832-ab81-8644b3d41dba' Parent calls us 'bd47d2a6-dc6d-49ea-b0e6-0b163396c76f' Wrote /root/foo/RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This is the file to send to the repository operator }}}
So presumably that's the name you want here:
{{{ ca.rg.net:/root/foo# rpkic configure_repository --parent_handle e17841a7-8582-4832-ab81-8644b3d41dba RGnetCA.repository-response.xml }}}
Ick, but that appears to be what they told you to register.
This sort of thing, BTW, is why it's possible to override the local name for handles provided by the parent. We have to retain the handle they gave us, because it's used in the up-down protocol, but in cases like this we might want to call it something else locally. That's a side issue, you probably don't want to get into it now.
Trac comment by sra on 2016-03-23T04:14:33Z
sraustein
commented
8 years ago what the bleep
{{{ ca.rg.net:/root/foo# xsltproc -o oob-translate.xsl issuer-identity-20160323.xml ripe-identity-new.xml compilation error: file issuer-identity-20160323.xml line 1 element parent_response xsltParseStylesheetProcess : document is not a stylesheet
ca.rg.net:/root/foo# cat issuer-identity-20160323.xml
sraustein
commented
8 years ago what the bleep
{{{ ca.rg.net:/root/foo# xsltproc -o oob-translate.xsl issuer-identity-20160323.xml ripe-identity-new.xml compilation error: file issuer-identity-20160323.xml line 1 element parent_response xsltParseStylesheetProcess : document is not a stylesheet }}}
Farbled command line. xsltproc thinks issuer-identity-20160323.xml doesn't look much like a valid XSL stylesheet. It's probably right.
You want:
{{{ xsltproc -o output.xml oob-translate.xsl input.xml }}}
Trac comment by sra on 2016-03-23T04:40:54Z
sraustein
commented
8 years ago {{{ ca.rg.net:/root/foo# xsltproc -o ripe-identity-new.xml oob-translate.xsl issuer-identity-20160323.xml
ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml
Traceback (most recent call last):
File "/usr/sbin/rpkic", line 38, in
{{{
sraustein
commented
8 years ago {{{ ca.rg.net:/root/foo# xsltproc -o ripe-identity-new.xml oob-translate.xsl issuer-identity-20160323.xml ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml lxml.etree.DocumentInvalid: Did not expect element parent there, line 1 }}}
There is no top-level
The two formats are not that hard to tell apart, because the XML
contains a namespace string for which you can grep.
http://www.hactrn.net/uris/rpki/myrpki/ is the namespace for the old
protocol, http://www.hactrn.net/uris/rpki/rpki-setup/ is the
namespace for the new protocol.
Trac comment by sra on 2016-03-23T05:09:56Z
sraustein
commented
8 years ago huh, i fed it ripe-indentity-new from
{{{ ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml identity-20160323.xml
ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml
Traceback (most recent call last):
File "/usr/sbin/rpkic", line 38, in
per your
{{{ xsltproc -o output.xml oob-translate.xsl input.xml }}}
Trac comment by randy on 2016-03-23T05:18:08Z
sraustein
commented
8 years ago If you've already converted it to the new format, running it through the translator again will flip it back to the old format, which appears to be what you're doing. At least, that's the only way I can explain the error messages you're ticketing.
Trac comment by sra on 2016-03-23T05:25:53Z
sraustein
commented
8 years ago BTW, the only thing that's going to have a
Trac comment by sra on 2016-03-23T05:37:28Z
sraustein
commented
8 years ago sigh. you are correct. resynced the xml and
{{{ ca.rg.net:/root/foo# xsltproc -o ripe-identity-new.xml oob-translate.xsl issuer-identity-20160323.xml ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml Parent calls itself 'e17841a7-8582-4832-ab81-8644b3d41dba', we call it 'e17841a7-8582-4832-ab81-8644b3d41dba' Parent calls us 'a5b39a7d-2629-496b-8806-86270050d53a' Wrote /root/foo/RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This is the file to send to the repository operator }}}
{{{ ca.rg.net:/root/foo# xsltproc -o pub-request-new.xml oob-translate.xsl RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml }}}
and then i try
{{{
ca.rg.net:/root/foo# rpkic configure_publication_client pub-request-new.xml
Traceback (most recent call last):
File "/usr/sbin/rpkic", line 38, in
{{{ ca.rg.net:/root/foo# cat RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml
ca.rg.net:/root/foo# cat pub-request-new.xml
MIIC8zCCAdugAwIBAgIBAzANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhSR25l dENBIEJQS0kgcmVzb3VyY2UgQ0EwHhcNMTYwMzIzMDMzMDAyWhcNMjYwMzIzMDMz MDAyWjAjMSEwHwYDVQQDExhSR25ldENBIEJQS0kgcmVzb3VyY2UgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvgcnhGCDYWC+hA+gMxazKvGtgEyzy erNKRaVaPclV10HZRfmJzC5UFQuJBfXbSMug4o48sqmeXpX0by6gvRxXhfrYhW4f veumuxOeEvdy19Bqp2vPrB0qtnlMseAA0f6P0NIxeYXPrpXzjijRBM1os3MNiipX qNHZxOVkOZbn3TjA+DUQDy3vja9ERTsUy7dT6omMwGbc+iG/8CKGISoSRaNpRUqw fOgbDMFdQjgxD4KXqNknEyFrNfCJHeNGbf9oD4u8HlFsJv2e3MrcZ7P8AJBzvZRj CHgMROyrdRqFJOFllwaKaP/atSj15ePMbDDCffyrnptFaM/uAv+r1tSvAgMBAAGj MjAwMB0GA1UdDgQWBBRWiwXAFeST9edkDobJ3Fd39QH+jjAPBgNVHRMBAf8EBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDNsE8rOFjIRP1cX0RvPIG4uSFKXhdseKIE fpOmQSJ2U913pY76jOFgsaxxuvu+KiEClzBwiQuz6qW0+ytBHJO7aB99N5mBlmvJ PhJoRFDDJB0Dg2ohfWgPim18uD2IvBAU4wZMSObmL2aemVqck0H1jIxisH76bfiU B+IvFetpPpq4CtbCWBTiET5ut7YljgR09U2kp7zP8AiM28jTpEOKAYZHfL1/TYNq qQcu7wwTyr8Gx75jTH2MsfzWoC8TLTnN+DlpReqLkDq2WExWWqKizBzOt/dziGf4 hRYpwSkMLo9B6S24uUC383XKizI21C01AszUVkeXAJuldlDL06wa
}}}
Trac comment by randy on 2016-03-23T05:38:17Z
sraustein
commented
8 years ago {{{ ca.rg.net:/root/foo# xsltproc -o ripe-identity-new.xml oob-translate.xsl issuer-identity-20160323.xml ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml Parent calls itself 'e17841a7-8582-4832-ab81-8644b3d41dba', we call it 'e17841a7-8582-4832-ab81-8644b3d41dba' Parent calls us 'a5b39a7d-2629-496b-8806-86270050d53a' Wrote /root/foo/RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This is the file to send to the repository operator }}}
{{{ ca.rg.net:/root/foo# xsltproc -o pub-request-new.xml oob-translate.xsl RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml }}}
Why are you translating the repository request? It's RIPE that speaks the old protocol, not your setup. Just move on to the next step using RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml, like rpkic told you to do.
and then i try {{{ ca.rg.net:/root/foo# rpkic configure_publication_client pub-request-new.xml lxml.etree.XMLSyntaxError: Start tag expected, '<' not found, line 4, column 1 }}}
the lxml parser is complaining because you attempted to translate the repository request into the old protocol, which is neither necessary nor supported by the XSL transform. In the absence of a template telling it how to translate that PDU, XSL reverted to its default behavior: it stripped off all the XML markup and dumped the remaining text verbatim. So you're trying to feed raw Base64 into an XML parser, which ends badly (and would end worse if the XML parser decoded the Base64, because the next layer down is ASN.1 DER...).
Trac comment by sra on 2016-03-23T05:53:24Z
sraustein
commented
8 years ago Why are you translating the repository request?
i grok now. translate only when going ripe<->local.
i have finished the config
As the xml crossed the ripe/local xml version boundary, you need to translate the ripe identity into the new xml format and feed this to your GUI or to rpkic {{{
ca.rg.net:/root/foo# rpkic configure_parent ripe-identity-new.xml Parent calls itself 'e17841a7-8582-4832-ab81-8644b3d41dba', we call it 'e17841a7-8582-4832-ab81-8644b3d41dba' Parent calls us 'a5b39a7d-2629-496b-8806-86270050d53a' Wrote /root/foo/RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This is the file to send to the repository operator }}}
As the repository request came from the local server and is going to the local server, there is no need to translate it {{{ ca.rg.net:/root/foo# rpkic configure_publication_client RGnetCA.e17841a7-8582-4832-ab81-8644b3d41dba.repository-request.xml This might be an offer, checking We don't host this client's parent, so we didn't make an offer Don't know where else to nest this client, so defaulting to top-level Client calls itself 'RGnetCA', we call it 'RGnetCA' Wrote /root/foo/RGnetCA.repository-response.xml Send this file back to the publication client you just configured }}}
As this xml does not cross the ripe/local boundary, there is no need to translate it {{{ ca.rg.net:/root/foo# rpkic configure_repository RGnetCA.repository-response.xml Repository calls us 'RGnetCA' No explicit parent_handle given, guessing parent e17841a7-8582-4832-ab81-8644b3d41dba }}}
Trac comment by randy on 2016-03-23T05:55:02Z
sraustein
commented
8 years ago As far as I can tell, oob-translate.xsl works as expected when used properly, problem was confusion about which messages needed translation.
Trac comment by sra on 2016-05-09T06:02:21Z
sraustein
commented
8 years ago Closed with resolution worksforme
{{{
{{{ ca.rg.net:/root# xsltproc oob-translate.xsl -o RGnetCA.identity.xml back-converted.xml warning: failed to load external entity "-o" unable to parse -o }}}
this {{{ ca.rg.net:/root# xsltproc oob-translate.xsl RGnetCA.identity.xml > back-converted.xml }}} worked
Uploaded to RIPE successfully. downloaded ripe's identity and
gui blew when importing ripe's identity {{{ [Tue Mar 22 12:50:23.207955 2016] [:error] [pid 32629:tid 3032132416] ERROR 2016-03-22 12:50:23,204 django.request Internal Server Error: /rpki/parent/import [Tue Mar 22 12:50:23.207996 2016] [:error] [pid 32629:tid 3032132416] Traceback (most recent call last): [Tue Mar 22 12:50:23.208003 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 132, in get_response [Tue Mar 22 12:50:23.208009 2016] [:error] [pid 32629:tid 3032132416] response = wrapped_callback(request, _callback_args, _callback_kwargs) [Tue Mar 22 12:50:23.208015 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/django/contrib/auth/decorators.py", line 22, in _wrapped_view [Tue Mar 22 12:50:23.208020 2016] [:error] [pid 32629:tid 3032132416] return view_func(request, _args, _kwargs) [Tue Mar 22 12:50:23.208025 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/gui/decorators.py", line 28, in _tls_required [Tue Mar 22 12:50:23.208031 2016] [:error] [pid 32629:tid 3032132416] return f(request, _args, _kwargs) [Tue Mar 22 12:50:23.208036 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/gui/app/views.py", line 107, in wrapped_fn [Tue Mar 22 12:50:23.208041 2016] [:error] [pid 32629:tid 3032132416] return f(request, _args, _kwargs) [Tue Mar 22 12:50:23.208046 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/gui/app/views.py", line 417, in parent_import [Tue Mar 22 12:50:23.208052 2016] [:error] [pid 32629:tid 3032132416] return generic_import(request, conf.parents, Zookeeper.configure_parent) [Tue Mar 22 12:50:23.208057 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/django/contrib/auth/decorators.py", line 22, in _wrapped_view [Tue Mar 22 12:50:23.208062 2016] [:error] [pid 32629:tid 3032132416] return view_func(request, _args, _kwargs) [Tue Mar 22 12:50:23.208067 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/gui/decorators.py", line 28, in _tls_required [Tue Mar 22 12:50:23.208073 2016] [:error] [pid 32629:tid 3032132416] return f(request, _args, _kwargs) [Tue Mar 22 12:50:23.208078 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/gui/app/views.py", line 107, in wrapped_fn [Tue Mar 22 12:50:23.208083 2016] [:error] [pid 32629:tid 3032132416] return f(request, _args, _kwargs) [Tue Mar 22 12:50:23.208088 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/gui/app/views.py", line 154, in generic_import [Tue Mar 22 12:50:23.208093 2016] [:error] [pid 32629:tid 3032132416] r = configure(z, tmpf.name, handle) [Tue Mar 22 12:50:23.208098 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/django/utils/decorators.py", line 145, in inner [Tue Mar 22 12:50:23.208113 2016] [:error] [pid 32629:tid 3032132416] return func(_args, _kwargs) [Tue Mar 22 12:50:23.208118 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 672, in configure_parent [Tue Mar 22 12:50:23.208123 2016] [:error] [pid 32629:tid 3032132416] x = etree_read(filename) [Tue Mar 22 12:50:23.208128 2016] [:error] [pid 32629:tid 3032132416] File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 162, in etree_read [Tue Mar 22 12:50:23.208133 2016] [:error] [pid 32629:tid 3032132416] schema.assertValid(e) [Tue Mar 22 12:50:23.208138 2016] [:error] [pid 32629:tid 3032132416] File "lxml.etree.pyx", line 3303, in lxml.etree._Validator.assertValid (src/lxml/lxml.etree.c:159771) [Tue Mar 22 12:50:23.208143 2016] [:error] [pid 32629:tid 3032132416] DocumentInvalid: Did not expect element parent there, line 1 }}}
and trying with rpkic was not much friendlier {{{ ca.rg.net:/root# rpkic configure_parent ripe-identity.xml Traceback (most recent call last): File "/usr/sbin/rpkic", line 38, in
rpki.rpkic.main()
File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 122, in init
self.main(args)
File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 130, in main
args.func(self, args)
File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 418, in do_configure_parent
r, parent_handle = self.zoo.configure_parent(args.parent_xml, args.parent_handle)
File "/usr/lib/python2.7/dist-packages/django/utils/decorators.py", line 145, in inner
return func(_args, *_kwargs)
File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 672, in configure_parent
x = etree_read(filename)
File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 161, in etree_read
e = ElementTree(file = filename_or_etree_wrapper).getroot()
File "lxml.etree.pyx", line 2953, in lxml.etree.ElementTree (src/lxml/lxml.etree.c:67245)
File "parser.pxi", line 1748, in lxml.etree._parseDocument (src/lxml/lxml.etree.c:102066)
File "parser.pxi", line 1774, in lxml.etree._parseDocumentFromURL (src/lxml/lxml.etree.c:102330)
File "parser.pxi", line 1678, in lxml.etree._parseDocFromFile (src/lxml/lxml.etree.c:101365)
File "parser.pxi", line 1110, in lxml.etree._BaseParser._parseDocFromFile (src/lxml/lxml.etree.c:96817)
File "parser.pxi", line 582, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:91275)
File "parser.pxi", line 683, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:92461)
File "parser.pxi", line 620, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:91722)
IOError: Error reading file 'ripe-identity.xml': failed to load external entity "ripe-identity.xml"
}}}
and for completeness {{{
<?xml version='1.0' encoding='UTF-8'?>MIIDWDCCAkCgAwIBAgIBATANBgkqhkiG9w0BAQsFADA9MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
UklQRSBOQ0MxGzAZBgNVBAMTElJJUEUgTkNDIFJlc291cmNlczAeFw0xNDA5MTcwODM1NDZaFw0y NDA5MTcwODM1NDZaMD0xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhSSVBFIE5DQzEbMBkGA1UEAxMS UklQRSBOQ0MgUmVzb3VyY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqq4aKoRW k5JEXAlS52qb7dmalrinH3pwJybtj1Mfv7fQmsJBwjCR4fLWTSm0IuXj6seDxg5FJCA/1LW1D7QX +jrr7WCGWOwdqaJf+5fPJQJPK/weRn016iB4FXHNZCykTTGU8lTl9aLDEEyG05rCod0vxByFzict 7s6tOn1QC6azeHyKdTObZ0tYDiyYks7W/WnQO8XYKLTN6kQDIh+ZsnRkBrfByLRbwtfRnV27M5KS sqnImW6Aem7HRkLTrenFgcdU9pFgnJB5Wu2zj65zbIu1xr5KfAmgJqFRDRE8bylYyekfXJaT5ft5 cKSPb55q4qva62EgWRgLMbtnL0tIAQIDAQABo2MwYTAdBgNVHQ4EFgQUZekfYnDS6XkgyoQrPzqn PqGD1w8wHwYDVR0jBBgwFoAUZekfYnDS6XkgyoQrPzqnPqGD1w8wDwYDVR0TAQH/BAUwAwEB/zAO BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAHalyyl5Y/bvvb9PUquzdPQRMJPK4M2d ZIcHFxRDZzY2G3rvlnnMw8HEcb45O7F0LAOoLQP8/xDoiXJlrfKBWR8Sl0pN++PdRjF01EmQfrNh lxkY2lhr0yI1V3IH+fNZR4Rp3epi1/gfJySkL2C9sfRO9zbUa9RcIc+Z17IB7udeKripufscj/zO 6QguF4iaNXH2E2xFqgs4J5K77lup9iicL0YQUVkgubb8YAm5MtjPhtanJsy+W/QS29J9z0CtICKg islZ30ZlVniQhvlruN35QMeffhH4dLoYVkctGqccu6+lh92nCok2ZBWIjSa1OF6hls8fCeM54SBd sFO+Gdk=MIIC8zCCAdugAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhSR25ldENBIEJQS0kg
cmVzb3VyY2UgQ0EwHhcNMTYwMzIxMDUyMjUwWhcNMjYwMzIxMDUyMjUwWjAjMSEwHwYDVQQDExhS
R25ldENBIEJQS0kgcmVzb3VyY2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv
gcnhGCDYWC+hA+gMxazKvGtgEyzyerNKRaVaPclV10HZRfmJzC5UFQuJBfXbSMug4o48sqmeXpX0
by6gvRxXhfrYhW4fveumuxOeEvdy19Bqp2vPrB0qtnlMseAA0f6P0NIxeYXPrpXzjijRBM1os3MN
iipXqNHZxOVkOZbn3TjA+DUQDy3vja9ERTsUy7dT6omMwGbc+iG/8CKGISoSRaNpRUqwfOgbDMFd
QjgxD4KXqNknEyFrNfCJHeNGbf9oD4u8HlFsJv2e3MrcZ7P8AJBzvZRjCHgMROyrdRqFJOFllwaK
aP/atSj15ePMbDDCffyrnptFaM/uAv+r1tSvAgMBAAGjMjAwMB0GA1UdDgQWBBRWiwXAFeST9edk
DobJ3Fd39QH+jjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAKJ19Obgald3Yp
+cURq5DOsQYyG+v1jCrBQkTYWUSFXHqCD6hKAc3QCBBEeeeDhUJ6Smbm0xjLh7Sbfh7LesNz2hyp
PqGufABwtC/8+vvo9zFaClwqDlrzw8CT4J5veH5FurWpFVluNf009KVqh6FlKhhYPaq2dRvOqEZx
XylXHfcyxtNLYrhSygmocsMhibw7pf6aCvOq5cFWiLXk80KiY1EVEneZVm6v/EJLLTLzb/whaqRv
iyzYpgM+VaS/2BVM20cB7FL98zAM2h+ORSvla3DDpkQ9lOshOdTwcTi7YQmWOubFcvifhx9FbED6
7vuUOrwlJlDQT2KmouoacN2y ca.rg.net:/root#
}}}
note lack of line-end. but hacking it does not help
Trac ticket #791 component testbed priority critical, owner None, created by randy on 2016-03-22T13:03:13Z, last modified 2016-05-09T06:02:21Z