cfrpki icon indicating copy to clipboard operation
cfrpki copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

can octorpki connect to new custom TALs?

Open cli0 opened this issue 3 years ago • 4 comments

I would like to test octorpki using my own testbed tal created via krill but the software doesn't recognize my tal. It doesn't even throw any error messages. I compiled octorpki using https://github.com/cloudflare/cfrpki#compile . I adapted the source code to include my new custom TAL in RootTALs

	RootTAL       = flag.String("tal.root", "tals/afrinic.tal,tals/apnic.tal,tals/arin.tal,tals/lacnic.tal,tals/ripe.tal,tals/ta.tal", "List of TAL separated by comma")
	TALNames      = flag.String("tal.name", "AFRINIC,APNIC,ARIN,LACNIC,RIPE,TEST", "Name of the TALs")

I deleted the other TALs from the TAL folder so that I could observer what happens with my TAL but for every validation run I get the following logs.

time="2021-12-28T10:15:20+01:00" level=info msg="Validator started"
time="2021-12-28T10:15:20+01:00" level=info msg="Serving HTTP on :8081/output.json"
time="2021-12-28T10:15:20+01:00" level=info msg="Still exploring. Revalidating now"
time="2021-12-28T10:15:20+01:00" level=info msg="Stable state. Revalidating in 20m0s"

My TAL works and is accessible via Routinator but with Octorpki I cant make it work. Any suggestion would be very appreciated.

cli0 avatar Dec 28 '21 09:12 cli0

I have an octorpki instance running against a test tal using command line arguments. Have you tried that approach?

ties avatar Dec 28 '21 11:12 ties

Hello ties, yes I think I have. After I made those small changes in the source code I compiled octorpki, got the new octorpki binary and ran it via

nohup octorpki -output.sign=false > out 2> err &

did I do something wrong or is there an alternative?

cli0 avatar Dec 28 '21 11:12 cli0

Small update, curiously, changing the source code and compiling the changes with go build does not work but adding the new TAL and TAL name via command line directly octorpki -output.sign=false -tal.root="tals/ta.tal" --tal.name="TEST" > out 2> err works. TAL is recognized. I have encountered another issue though, and that is octorpki throws an error for self signed certificates (like the one im using for my locally hosted testbed TAL). Any change to the source code also doesn't seem to hold up after compiling the new binary. Granted I am not a Golang programmer so I can't maneuver a lot.

Is there a way for a self signed certificates to be accepted by octorpki for a testing environment?

cli0 avatar Dec 29 '21 08:12 cli0

Odd that it did not work that other way around!

Is there a way for a self signed certificates to be accepted by octorpki for a testing environment?

For the URL of the repository? I would need to check the code. You may also be able to add the certificate to the certificate store that the go binary uses (standard unix tricks apply to figure out if it reads that, you may be able to strace that)

ties avatar Dec 29 '21 20:12 ties