<div dir="ltr">Hello<div><br>I emailed rpki-team@ on Friday with my setup for review and possible help, thanks.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em ter., 24 de mai. de 2022 às 08:01, Tim Bruijnzeels <<a href="mailto:tim@nlnetlabs.nl" target="_blank">tim@nlnetlabs.nl</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dear Cristian,<br>
<br>
Let me give a general reply here on-list, but if a follow-up is needed feel free to contact us directly at <a href="mailto:rpki-team@nlnetlabs.nl" target="_blank">rpki-team@nlnetlabs.nl</a>. If we find that there is a general issue with Krill then we will report back - and of course - make a fix asap.<br>
<br>
Reply in-line:<br>
<br>
> On 23 May 2022, at 17:57, Cristian Cardoso via RPKI <<a href="mailto:rpki@lists.nlnetlabs.nl" target="_blank">rpki@lists.nlnetlabs.nl</a>> wrote:<br>
> <br>
> Hi<br>
> I have a question regarding the RPKI certificates generated for my prefixes.<br>
> I activated Krill 6 months ago, after 3 months I noticed that the validation certificates apparently expired with my publisher, I recreated my CA and the problem was resolved, now after 3 months it has happened again.<br>
<br>
My guess is that the 'expired' certificates are not in fact the certificate issued to you by your parent - and published by them - but the manifest and CRL which your CA publishes.<br>
<br>
As long as Krill is running it will keep re-issuing manifests and CRLs 8 hours (by default) before they would expire. The default validity time is 24 hours plus some random (minute grade) extra time between 0-12 hours.<br>
<br>
If an observer sees that your manifest / CRL have expired, then the most likely cause would be that your CA is unable to publish in your publication server.<br>
<br>
You can check the latest status in the "Repoistory" tab of the UI, or you can use CLI commands.<br>
<br>
Example checking the repository connection status of our own nlnetlabs ca:<br>
<br>
# krillc repo status --ca nlnetlabs<br>
URI: <a href="https://prod-ps.krill.cloud/rfc8181/nlnetlabs/" rel="noreferrer" target="_blank">https://prod-ps.krill.cloud/rfc8181/nlnetlabs/</a><br>
Status: success<br>
Last contacted: 2022-05-24T09:18:54+00:00<br>
Last successful contact: 2022-05-24T09:18:54+00:00<br>
Next contact on or before: 2022-05-25T09:34:52+00:00<br>
<br>
Or you can check if there are any other issues, including issues connecting to a parent:<br>
<br>
# krillc issues --ca nlnetlabs<br>
no issues found<br>
<br>
You can also check for issues connecting to a parent in the "Parents" tab in the UI, or you can use "krillc parents statuses --ca <myca>"<br>
<br>
If you see connection issues here then you should probably contact your parent or repository server about this first.<br>
<br>
If you would like to share your config file with us directly then I am also happy to have a look whether I can spot any timing configuration issues there. If you do, then please remove the "admin_token" - we don't need to know! And send it directly to <a href="mailto:rpki-team@nlnetlabs.nl" target="_blank">rpki-team@nlnetlabs.nl</a> please.<br>
<br>
<br>
> I looked at Krill's documentation and found this <a href="https://krill.docs.nlnetlabs.nl/en/stable/ca-keyroll.html#key-life-cycle-background" rel="noreferrer" target="_blank">https://krill.docs.nlnetlabs.nl/en/stable/ca-keyroll.html#key-life-cycle-background</a>, I don't know if I understand it correctly but I must create something in the cron from the server to rollover?<br>
<br>
A key rollover will not help here. And you do not need to cron anything - just make sure the Krill daemon keeps running. It will re-issue manifests and CRLs when they need to be re-issued, and if Krill can't connect to its parents or repository server for some reason, then it will just keep re-trying every couple of minutes.<br>
<br>
I hope this helps!<br>
<br>
Kind regards,<br>
<br>
<br>
Tim<br>
<br>
<br>
> -- <br>
> RPKI mailing list<br>
> <a href="mailto:RPKI@lists.nlnetlabs.nl" target="_blank">RPKI@lists.nlnetlabs.nl</a><br>
> <a href="https://lists.nlnetlabs.nl/mailman/listinfo/rpki" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/rpki</a><br>
<br>
</blockquote></div>