[RPKI] APNIC CA certificate failed to validate

Tom Harrison tomh at apnic.net
Tue Dec 1 02:56:08 UTC 2020

Hi Chris,

On Tue, Dec 01, 2020 at 02:21:09AM +0000, Chris Caputo via RPKI wrote:
> I installed 0.8.1 today and had a few good hourly runs.
> Then after 2020-12-01 UTC started getting:
> rsync://rpki.apnic.net/repository/B527EF581D6611E2BB468F7C72FD1FF2/ZwTFeTEC0uxi4JpTfGQbsyoqqhM.cer: CA certificate failed to validate.
> CA for rsync://rpki.apnic.net/repository/B527EF581D6611E2BB468F7C72FD1FF2/ rejected, resources marked as unsafe:
> [...]
> rsync://rpki.apnic.net/repository/B3A24F201D6611E28AC8837C72FD1FF2/0I2GgcK-TUfCopBV9m5olVhGF_c.cer: CA certificate failed to validate.
> CA for rsync://rpki.apnic.net/repository/B3A24F201D6611E28AC8837C72FD1FF2/ rejected, resources marked as unsafe:
> [...]
> Anyone else seeing that?
> https://rpki-validator.ripe.net/trust-anchors/monitor/2 seems to concur 
> there is an issue.
>   - Not valid after time is in the past: 2020-12-01T00:00:00.000Z
>   - Not all manifest objects are valid, all entries are rejected	
>   - Certificate is revoked	
>   - etc.

The errors reported for rpki.apnic.net objects are due to the expiry
of APNIC account holder memberships, because the RPKI certificates
have expiry periods that are linked to the membership periods.  After
the RPKI certificate expires, it can remain in place for up to half a
day until a separate process removes it from the repository.


More information about the RPKI mailing list