[RPKI] Invalid identity certificate: validation error with APNIC

Christopher Munz-Michielin chris at canadianmail.ca
Wed Apr 1 17:02:27 UTC 2020


Just as an update to this; updated to the master branch and was able to import the apnic response without issue.

Cheers,
Chris

On 2020-03-31 3:07 p.m., Christopher Munz-Michielin via RPKI wrote:
> Thanks for the information Tim.
>
> I will give the master branch a try in the coming days and see how it goes.
>
> Cheers,
> Chris
>
> On 2020-03-31 12:18 p.m., Tim Bruijnzeels wrote:
>> Hi Christopher,
>>
>> This is because krill insists that the ID certificates be self signed. The RFC says things should be self signed but it’s not really an issue. So, we put in a change for this in 0.5.0 but overlooked one additional check.
>>
>> This is fixed in the master branch if you are okay with living on the edge a bit. Otherwise we are planning to do the 0.6.0 release next week.
>>
>> Kind regards
>> Tim
>>
>>
>> Sent from my iPhone
>>
>>> On 31 Mar 2020, at 19:45, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>>>
>>> Hello,
>>>
>>> Trying to get Krill setup with my APNIC account, I've successfully submitted my identity file to APNIC and receivied the parent response, however, once I attempt to import the response krill just kicks back "Invalid RFC8183 XML: Invalid identity certificate: validation error"
>>>
>>> The response I got back from APNIC looks alright:
>>> <?xml version="1.0"?>
>>> <oob:parent_response xmlns:oob="http://www.hactrn.net/uris/rpki/rpki-setup/" version="1" service_uri="http://rpki.apnic.net/up-down/APNIC-AP/" parent_handle="APNIC-AP" child_handle="A912C8360000"><oob:parent_bpki_ta>MII....
>>>
>>> </oob:parent_bpki_ta></oob:parent_response>
>>>
>>> Though the oob: stuff looks a little strange.  I tried removing it but get the same error.
>>>
>>> This is the command I am attempting to run:
>>> krillc parents add remote --parent apnic --rfc8183 ./response.xml --ca FRC-CA
>>>
>>> I have also tried via the webGUI but it just kicks back "error 400"
>>>
>>> Krill version is 0.5.0
>>>
>>> Anyone managed to get krill working with APNIC?
>>> -- 
>>> RPKI mailing list
>>> RPKI at lists.nlnetlabs.nl
>>> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>



More information about the RPKI mailing list