[RPKI] Certificate has Expired

Christopher Munz-Michielin christopher at ve7alb.ca
Sat Dec 16 04:33:20 UTC 2023


Hello all,

Hoping someone can help me shed some light on an issue I'm having with 
Krill and delegated RPKI with ARIN.

Some background - I run a small ISP with a couple of v4 and a single v6 
prefix.  We have been running delegated RPKI with Krill for a couple of 
years now without issue.  Current version of Krill is 0.10.3 (I know 
it's a bit out of date, haven't gotten around to testing upgrades yet).

Recently, I noticed that my prefixes stopped being identified as 
RPKI-Valid, and while looking into this, I discovered Routinator is 
complaining that the 'certificate has expired.'  Now the odd thing is 
that my handshakes with ARIN are up to date (last one was about 10 
minutes ago), and the files in the local repository are constantly being 
updated.  On the routinator VM I have the following logs:

Dec 15 19:38:01 ca-vic-cu-bgp01 routinator[43871]: [WARN] 
rsync://rpki.tools.westconnect.ca/repo/WestConnect-Pub/0/86A99076610E7C08AEDDCE8767AA5DC4528C4908.mft: 
certificate has expired.
Dec 15 19:38:01 ca-vic-cu-bgp01 routinator[43871]: [WARN] 
rsync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/1146938c-c605-4779-bf60-820a16fa701c/8f6916d463bfc5c35e4659c12889a337f3cc6f6b7fe978372b.cer: 
no valid manifest 
rsync://rpki.tools.westconnect.ca/repo/WestConnect-Pub/0/86A99076610E7C08AEDDCE8767AA5DC4528C4908.mft 
found.

I'm at a bit of a loss here; if anyone can point me in the direction of 
what certificate has expired, and how I might go about renewing it, I 
would be most grateful.

Cheers,
Chris



More information about the RPKI mailing list