[RPKI] Invalid identity certificate: validation error with APNIC

[Christopher Munz-Michielin]

Thanks for the information Tim.

I will give the master branch a try in the coming days and see how it goes.

Cheers,
Chris

On 2020-03-31 12:18 p.m., Tim Bruijnzeels wrote:
> Hi Christopher,
>
> This is because krill insists that the ID certificates be self signed. The RFC says things should be self signed but it’s not really an issue. So, we put in a change for this in 0.5.0 but overlooked one additional check.
>
> This is fixed in the master branch if you are okay with living on the edge a bit. Otherwise we are planning to do the 0.6.0 release next week.
>
> Kind regards
> Tim
>
>
> Sent from my iPhone
>
>> On 31 Mar 2020, at 19:45, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>>
>> Hello,
>>
>> Trying to get Krill setup with my APNIC account, I've successfully submitted my identity file to APNIC and receivied the parent response, however, once I attempt to import the response krill just kicks back "Invalid RFC8183 XML: Invalid identity certificate: validation error"
>>
>> The response I got back from APNIC looks alright:
>> <?xml version="1.0"?>
>> <oob:parent_response xmlns:oob="http://www.hactrn.net/uris/rpki/rpki-setup/" version="1" service_uri="http://rpki.apnic.net/up-down/APNIC-AP/" parent_handle="APNIC-AP" child_handle="A912C8360000"><oob:parent_bpki_ta>MII....
>>
>> </oob:parent_bpki_ta></oob:parent_response>
>>
>> Though the oob: stuff looks a little strange.  I tried removing it but get the same error.
>>
>> This is the command I am attempting to run:
>> krillc parents add remote --parent apnic --rfc8183 ./response.xml --ca FRC-CA
>>
>> I have also tried via the webGUI but it just kicks back "error 400"
>>
>> Krill version is 0.5.0
>>
>> Anyone managed to get krill working with APNIC?
>> -- 
>> RPKI mailing list
>> RPKI at lists.nlnetlabs.nl
>> https://lists.nlnetlabs.nl/mailman/listinfo/rpki