[RPKI] Invalid identity certificate: validation error with APNIC
chris at canadianmail.ca
Wed Apr 1 17:02:27 UTC 2020
Just as an update to this; updated to the master branch and was able to import the apnic response without issue.
On 2020-03-31 3:07 p.m., Christopher Munz-Michielin via RPKI wrote:
> Thanks for the information Tim.
> I will give the master branch a try in the coming days and see how it goes.
> On 2020-03-31 12:18 p.m., Tim Bruijnzeels wrote:
>> Hi Christopher,
>> This is because krill insists that the ID certificates be self signed. The RFC says things should be self signed but it’s not really an issue. So, we put in a change for this in 0.5.0 but overlooked one additional check.
>> This is fixed in the master branch if you are okay with living on the edge a bit. Otherwise we are planning to do the 0.6.0 release next week.
>> Kind regards
>> Sent from my iPhone
>>> On 31 Mar 2020, at 19:45, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>>> Trying to get Krill setup with my APNIC account, I've successfully submitted my identity file to APNIC and receivied the parent response, however, once I attempt to import the response krill just kicks back "Invalid RFC8183 XML: Invalid identity certificate: validation error"
>>> The response I got back from APNIC looks alright:
>>> <?xml version="1.0"?>
>>> <oob:parent_response xmlns:oob="http://www.hactrn.net/uris/rpki/rpki-setup/" version="1" service_uri="http://rpki.apnic.net/up-down/APNIC-AP/" parent_handle="APNIC-AP" child_handle="A912C8360000"><oob:parent_bpki_ta>MII....
>>> Though the oob: stuff looks a little strange. I tried removing it but get the same error.
>>> This is the command I am attempting to run:
>>> krillc parents add remote --parent apnic --rfc8183 ./response.xml --ca FRC-CA
>>> I have also tried via the webGUI but it just kicks back "error 400"
>>> Krill version is 0.5.0
>>> Anyone managed to get krill working with APNIC?
>>> RPKI mailing list
>>> RPKI at lists.nlnetlabs.nl
More information about the RPKI