[RPKI] Running a Krill Repository server, nothing being added to /repo directory

Tim Bruijnzeels tim at nlnetlabs.nl
Sat Jun 27 08:54:05 UTC 2020


Hi,


> On 26 Jun 2020, at 23:54, garlicky via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> 
> Hello,
> 
> First of all, thank you to who manage and update the RPKI and Krill readthedocs.io pages. They have been concise, accessible, and invaluable in my quest to implement RPKI in our network. The most recent changes made to the "Running a Publication Server" has been especially appreciated.
> 
> That said, I'm wondering if I missed a step or overlooked something when setting up the repository server; when I add a publisher to the repository, Krill doesn't add or create anything in either /repo/rsync/current/ or /repo/rrdp/. The repository server is able to create a repository response XML just fine, which includes the correct public service URIs, but directories those service URIs refer to are empty. A month or two ago, I ran Krill with an embedded repository in a test environment, and both /repo/rsync/current/ and /repo/rrdp/ would populate with publisher-specific files when I added a new publisher.
> 
> Is there a step that I'm missing? I'm running the latest version of Krill (reinstalled it via Cargo today) on a server running Ubuntu 18.04.


The directories are only created after the Publication Server has received its first set of things (Manifest, CRL, ROAs) from a publisher.

I can see how that can be confusing, especially during set up, so I created this issue for it:
https://github.com/NLnetLabs/krill/issues/270

The missing step is most likely that you did not yet add a parent to your (test?) CA. If your CA has a repository configured, but did not yet receive a certificate, then it simply has nothing to publish.

The following two options are probably the easiest way to test your CA:

1) https://rpki-testbed.apnic.net

APNIC provide a testbed where anyone can run a delegated CA under them, using private resources. They also provide a Publication Server, but.. it was speaking a pre-RFC dialect of the publication protocol earlier - I am not sure that this will work for you today.

We plan to set up a similar service in the near future.

2) Set up a test Trust Anchor in Krill

This test setup is described here:
https://rpki.readthedocs.io/en/latest/krill/testing.html


I hope this helps. Please let us know if you run into anything, or if you have more comments or questions.


Kind regards,
Tim



> 
> Any insight is appreciated and my thank in advance.
> 
> 
> 
> 
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki



More information about the RPKI mailing list