[RPKI] cannot download the .roa files, with the list of signed bgp prefixes

Tony Tauber ttauber at 1-4-5.net
Mon Apr 25 22:02:24 UTC 2022


Hi and welcome.

There is a lot to learn about these systems and what is typical behavior
and what is not normal.
Besides logs which are a chore to look at, there are some API Endpoints
<https://routinator.docs.nlnetlabs.nl/en/latest/api-endpoints.html> that
can make things easier.
For example, /api/v1/status which has a JSON document with a bunch of
diagnostic information.

Also there is at least one public installation of Routinator at RIPE NCC
<https://rpki-validator.ripe.net/> which could be hopefully considered
"well run".

You could compare the number of invalid items seen by your installation
with the one at RIPE like this:

> curl -s "https://rpki-validator.ripe.net/api/v1/status" |grep -i invalid
> | grep -v 0,
>          "invalidROAs": 1,
>          "invalidManifests": 1,
>          "invalidManifests": 1,
>          "invalidROAs": 1,
>          "invalidManifests": 1,
>          "invalidManifests": 1,
>
(You can remove the grep filters to see the whole JSON output.)
When I compare the same endpoint URL in my Routinator installation, I get
the same suggesting this view converges.

Tony

On Mon, Apr 25, 2022 at 4:02 PM gustvieira99 via RPKI <
rpki at lists.nlnetlabs.nl> wrote:

> Hi, how are you? First of all, I would like to thank you very much for
> your response and for your quick response. good, so what can i do, since it
> is normal to have failures in the cryptographic verification or in the
> repositories? Do i have to wait for both to be normalized? The routinator
> program is working perfectly, right? I installed the software, on the
> ubuntu server, following this tutorial here:
> https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/
>
> thank u very much for your help and i hope i can solve the problem!!!!
>
>
>
> Em seg., 25 de abr. de 2022 às 06:43, Alex Band <alex at nlnetlabs.nl>
> escreveu:
>
>> Hello,
>>
>> Please do not worry about some ROAs failing validation. We’ve described
>> this here:
>>
>>
>> https://routinator.docs.nlnetlabs.nl/en/stable/initialisation.html#verifying-initialisation
>>
>> "Because it is expected that the state of the entire RPKI is not perfect
>> as all times, you may see several warnings about objects that are either
>> stale or failed cryptographic verification, or repositories that are
>> temporarily unavailable.”
>>
>> Your Routinator is working just fine.
>>
>> Kind regards,
>>
>> Alex
>>
>> > On 25 Apr 2022, at 00:13, gustvieira99 via RPKI <
>> rpki at lists.nlnetlabs.nl> wrote:
>> >
>> > Hi, how are u?
>> > I cannot download the .roa files using routinator, with the list of the
>> signed bgp prefixes. when I try to download, the following errors appear
>> and the roas are not downloaded. the error says validation failed on some
>> and on others it says the certificate has been revoked.
>> >
>> > Output from my linux terminal:
>> > root at linux41:~# routinator -v vrps
>> > rsync://
>> rpki.afrinic.net/repository/member_repository/F3646C24/1C86B7862B5B11EC8EBEF540D8A014CE/_r9_454NpaYN1sjcZoHO9aJGKC4.mft:
>> No valid manifest found.
>> > CA for rsync://
>> rpki.afrinic.net/repository/member_repository/F3646C24/1C86B7862B5B11EC8EBEF540D8A014CE/
>> rejected, resources marked as unsafe:
>> >    196.13.106.0/24
>> >    196.43.250.0/24
>> >    2001:43fd::/48
>> >    AS327811
>> > rsync://
>> rpki.afrinic.net/repository/member_repository/F368F2D0/7F4A98EA6E0511E89C0D6E4BF8AEA228/6766FC685F2011EC938150DD5A40D577.roa:
>> certificate has been revoked.
>> > rsync://
>> rpki.afrinic.net/repository/member_repository/F368F2D0/7F4A98EA6E0511E89C0D6E4BF8AEA228/6766FC685F2011EC938150DD5A40D577.roa:
>> validation failed.
>> > rsync://
>> rpki.afrinic.net/repository/member_repository/F368F2D0/92F86E1C6E0511E8A1B5854BF8AEA228/3F046A1A1D1E11ECB9949565D8A014CE.roa:
>> validation failed.
>> >
>> > how can in proceed? how can in correct these errors and normally
>> download the .roa files?
>> > thank u very much for your help and i hope i can solve the problem!!!!
>> > --
>> > RPKI mailing list
>> > RPKI at lists.nlnetlabs.nl
>> > https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>>
>> --
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20220425/25cbaed8/attachment.htm>


More information about the RPKI mailing list