routinator icon indicating copy to clipboard operation
routinator copied to clipboard
verified publisher icon NLnetLabs

Missing error message during TA HTTP request

Open ydahhrk opened this issue 2 months ago • 2 comments

I'm building a test suite (notice the "routinator" branch) that starts Apache2 and rsyncd instances and feeds them fake RPKI trees.

Routinator is then kickstarted in vrps mode, using this configuration. It's fed a TAL that points to the local Apache2 and rsync.

If I leave rsync enabled (by toggling disable-rsync), the test run succeeds. However, the log conveys it's because it's falling back to rsync. Furthermore, it prints an error message during the notification download attempting to state why:

$ mkdir -p custom/
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
	-subj "/C=AU/ST=Some-State/O=IWPL/CN=localhost" \
	-keyout "custom/rpt.key" -out "custom/rpt.crt"
...
$ sed -i 's/disable-rsync = true/disable-rsync = false/g' routinator.conf
$ ./2-test.sh | grep -F "Failures"
Failures : 0
$ cat sandbox/tests/simple/routinator.log
[2025-10-22T15:31:43] [WARN] Using config file /home/ahhrk/git/rapport/routinator.conf.
[2025-10-22T15:31:43] [INFO] Using the following TALs:
[2025-10-22T15:31:43] [INFO]   * simple
[2025-10-22T15:31:43] [DEBUG] rsync rsync://localhost:8873/rpki/: running command Command { std: "rsync" "--no-motd" "-z" "--contimeout=10" "--max-size=20000000" "-rtO" "--delete" "rsync://localhost:8873/rpki/" "/home/ahhrk/git/rapport/sandbox/tests/simple/workdir/rsync/localhost:8873/rpki/", kill_on_drop: false }
[2025-10-22T15:31:43] [DEBUG] Found valid trust anchor rsync://localhost:8873/rpki/simple/ta.cer. Processing.
[2025-10-22T15:31:43] [INFO] RRDP https://localhost:8443/simple/notification.xml: error sending request for url (https://localhost:8443/simple/notification.xml) (client error (Connect))
[2025-10-22T15:31:43] [INFO] RRDP https://localhost:8443/simple/notification.xml: Update failed and there is no current copy.

Granted, "client error (Connect)" is not the most helpful error message, but at least narrows the problem down to HTTP.

If I disable rsync, Routinator fails completely. More importantly, it doesn't print an error message:

$ sed -i 's/disable-rsync = false/disable-rsync = true/g' routinator.conf
$ ./2-test.sh | grep -F "Failures"
Failures : 1
$ cat sandbox/tests/simple/routinator.log 
[2025-10-22T15:32:24] [WARN] Using config file /home/ahhrk/git/rapport/routinator.conf.
[2025-10-22T15:32:24] [INFO] Using the following TALs:
[2025-10-22T15:32:24] [INFO]   * simple
[2025-10-22T15:32:24] [WARN] No valid trust anchor for TAL simple

I think the lack of error message is a bug.

ydahhrk avatar Oct 22 '25 21:10 ydahhrk

Thank you for the report!

I think if you add log-repository-issues = true to your Routinator config, it should print the error message in both cases. I’m not entirely sure why it does print it in the first case – the rsync output should also not be there.

But I think you are right that it should log issues with fetching the TA certificates to the log rather than keep it in the separate repository issue log.

partim avatar Oct 23 '25 09:10 partim

I think if you add log-repository-issues = true to your Routinator config

But it's right there

ydahhrk avatar Oct 23 '25 15:10 ydahhrk