Hi Cristian, > On 30 May 2022, at 15:07, Cristian Cardoso <[email protected]> > wrote: > > Hello > > I emailed rpki-team@ on Friday with my setup for review and possible help, > thanks.
Your mail got a bit a lost in the weekend, but I just replied to it. Tim > > Em ter., 24 de mai. de 2022 às 08:01, Tim Bruijnzeels <[email protected]> > escreveu: > Dear Cristian, > > Let me give a general reply here on-list, but if a follow-up is needed feel > free to contact us directly at [email protected]. If we find that there > is a general issue with Krill then we will report back - and of course - make > a fix asap. > > Reply in-line: > > > On 23 May 2022, at 17:57, Cristian Cardoso via RPKI > > <[email protected]> wrote: > > > > Hi > > I have a question regarding the RPKI certificates generated for my prefixes. > > I activated Krill 6 months ago, after 3 months I noticed that the > > validation certificates apparently expired with my publisher, I recreated > > my CA and the problem was resolved, now after 3 months it has happened > > again. > > My guess is that the 'expired' certificates are not in fact the certificate > issued to you by your parent - and published by them - but the manifest and > CRL which your CA publishes. > > As long as Krill is running it will keep re-issuing manifests and CRLs 8 > hours (by default) before they would expire. The default validity time is 24 > hours plus some random (minute grade) extra time between 0-12 hours. > > If an observer sees that your manifest / CRL have expired, then the most > likely cause would be that your CA is unable to publish in your publication > server. > > You can check the latest status in the "Repoistory" tab of the UI, or you can > use CLI commands. > > Example checking the repository connection status of our own nlnetlabs ca: > > # krillc repo status --ca nlnetlabs > URI: https://prod-ps.krill.cloud/rfc8181/nlnetlabs/ > Status: success > Last contacted: 2022-05-24T09:18:54+00:00 > Last successful contact: 2022-05-24T09:18:54+00:00 > Next contact on or before: 2022-05-25T09:34:52+00:00 > > Or you can check if there are any other issues, including issues connecting > to a parent: > > # krillc issues --ca nlnetlabs > no issues found > > You can also check for issues connecting to a parent in the "Parents" tab in > the UI, or you can use "krillc parents statuses --ca <myca>" > > If you see connection issues here then you should probably contact your > parent or repository server about this first. > > If you would like to share your config file with us directly then I am also > happy to have a look whether I can spot any timing configuration issues > there. If you do, then please remove the "admin_token" - we don't need to > know! And send it directly to [email protected] please. > > > > I looked at Krill's documentation and found this > > https://krill.docs.nlnetlabs.nl/en/stable/ca-keyroll.html#key-life-cycle-background, > > I don't know if I understand it correctly but I must create something in > > the cron from the server to rollover? > > A key rollover will not help here. And you do not need to cron anything - > just make sure the Krill daemon keeps running. It will re-issue manifests and > CRLs when they need to be re-issued, and if Krill can't connect to its > parents or repository server for some reason, then it will just keep > re-trying every couple of minutes. > > I hope this helps! > > Kind regards, > > > Tim > > > > -- > > RPKI mailing list > > [email protected] > > https://lists.nlnetlabs.nl/mailman/listinfo/rpki > -- RPKI mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/rpki
