In the cloudflare OctoRPKI, we have disabled the rrdp failover "-rrdp.failover=false" but still for few URLs its going for the rsync (For APNIC)

Please find below log for the same –

TYPE rsync_errors gauge

rsync_errors {address="rsync://rpki-repository.nic.ad.jp/ap"} 146
rsync_errors{address="rsync://rpki.apnic.net/repository"} 146

Could you please help us to identify the possible issue? We understand why is the cause for JPNIC but not for APNIC ? Even though rsync fails, the ROA counts are correct for APNIC compared to the public sites since it is downloading via RRDP.

Nov 19 08:34:16 rpki01 bbe10dbee28e[1531]: time="2021-11-18T21:34:16Z" level=info msg="RRDP: Downloading root notification https://rrdp.apnic.net/notification.xml"
Nov 19 08:34:16 rpki01 bbe10dbee28e[1531]: time="2021-11-18T21:34:16Z" level=info msg="RRDP: https://rrdp.apnic.net/notification.xml has 3 deltas to parse (cur: 95753, last: 95750)"
Nov 19 08:37:00 rpki01 bbe10dbee28e[1531]: time="2021-11-18T21:37:00Z" level=info msg="RRDP sync https://rrdp.sub.apnic.net/notification.xml"
Nov 19 08:37:00 rpki01 bbe10dbee28e[1531]: time="2021-11-18T21:37:00Z" level=info msg="RRDP: Downloading root notification https://rrdp.sub.apnic.net/notification.xml"
Nov 19 08:37:00 rpki01 bbe10dbee28e[1531]: time="2021-11-18T21:37:00Z" level=info msg="RRDP: https://rrdp.sub.apnic.net/notification.xml has 0 deltas to parse (cur: 1696, last: 1696)"

Also we have noticed, OctoRPKI is not fetching the data for LANIC-AS0 tal. Please advise why it is working for APNIC AS0 not for LANIC AS0.

100 17736 17714 66 Nov18 ? 1-11:56:46 ./octorpki -tal.root=tals/afrinic.tal,tals/apnic.tal,tals/arin.tal,tals/lacnic.tal,tals/ripe.tal,tals/lacnic-as0.tal -tal.name=AFRINIC,APNIC,ARIN,LACNIC,RIPE,LACNIC-AS0 -output.sign=false -rrdp.failover=false -refresh=600
100 17896 17876 6 Nov18 ? 03:43:42 ./gortr -loglevel debug -refresh 600 -rtr.refresh 600 -slurm /configs/slurm.json -ssh.bind :8282 -ssh.key private_new.pem -ssh.method.password=true -ssh.auth.user rpki -ssh.auth.password rpki -bind :8283 -cache http://octorpk:8081/output.json -verify=false

Hi,

Is there a possibility to customise/override specific ROAs with mechanisms such as:

• Ignore filters
  You can use filters to exclude ROAs matching an ASN and/or prefix

• Whitelist
  By adding a whitelist entry you can manually authorise an ASN to originate a prefix in addition to the validated ROAs from the repository.

?

Yesterday ARIN introduced incorrect algorithm identifier encodings in their RPKI data.

It appears that for some reason Cloudflare's RPKI validation process did not catch this error and continued to produce VRPs based on cryptographically invalid data

A more detailed analysis of what transpired is available here http://sobornost.net/~job/arin-manifest-issue-2020.08.12.txt

ARIN confirmed the analysis was correct and is now working to restore CA services.

tested on cfrpki 1.2.0-pre

Upgraded a pre 1.2.0 OctoRPKI with the current 1.2.0 .deb package. Worked fine with one minor hitch. Perhaps ask or warn about updating an existing /etc/default/octorpki since when it overwrote mine it took a bit of debugging to realize my gortr rpki-rtr was no longer serving any data. Having signed the output by default, this was removed with this package install.

For instance:

Etag: 9afed96574a335e691bd54e6bd2fb2f41871e253151600375dd07dd3967fb75b

This should be

Etag: "9afed96574a335e691bd54e6bd2fb2f41871e253151600375dd07dd3967fb75b"

I am not sure where you have seen the mail Prajakta(below). There is big difference on performance between 1.2.2 and 1.3.0 in the lab testing. Version 1.2.2 takes around 5 minutes and 1.3.0 takes up to 45 minutes.

We are facing the issue with the octorpki as it is taking longer time to process ROAs. We are getting the expiration issue for certificate and parent issue for certificate error.

Please find the below errors for certificate from the octorpki -

[[email protected] ~]# grep f57670700d60 /var/log/messages
Oct 27 04:30:57 rpki01 f57670700d60[1246]: time="2021-10-26T17:30:57Z" level=info msg="Stable state. Revalidating in 20m0s"
Oct 27 04:50:57 rpki01 f57670700d60[1246]: time="2021-10-26T17:50:57Z" level=info msg="RRDP sync https://rrdp.arin.net/notification.xml"
Oct 27 04:50:57 rpki01 f57670700d60[1246]: time="2021-10-26T17:50:57Z" level=info msg="RRDP: Downloading root notification https://rrdp.arin.net/notification.xml"
Oct 27 04:50:58 rpki01 f57670700d60[1246]: time="2021-10-26T17:50:58Z" level=info msg="RRDP: https://rrdp.arin.net/notification.xml has 0 deltas to parse (cur: 49882, last: 49882)"
Oct 27 04:50:58 rpki01 f57670700d60[1246]: time="2021-10-26T17:50:58Z" level=info msg="RRDP: finished processing notifications (0). Last serial 49882"
Oct 27 04:50:58 rpki01 f57670700d60[1246]: time="2021-10-26T17:50:58Z" level=info msg="RRDP sync https://rpki1.terratransit.de/rrdp/notification.xml"
Oct 27 04:50:58 rpki01 f57670700d60[1246]: time="2021-10-26T17:50:58Z" level=info msg="RRDP: Downloading root notification https://rpki1.terratransit.de/rrdp/notification.xml"
…..
…..
Oct 27 04:54:38 rpki01 f57670700d60[1246]: time="2021-10-26T17:54:38Z" level=error msg="expiration issue for certificate ski:a83ab2c6ed0667e3b1d12693ae280b538292338c aki:b97dc46099cd50fcf299da5e82b005646984c4f3: Certificate beginning of validity: 2021-11-07 06:51:50 +0000 UTC is after: 2021-10-26 17:54:01.517023988 +0000 UTC"
Oct 27 04:54:40 rpki01 f57670700d60[1246]: time="2021-10-26T17:54:40Z" level=error msg="expiration issue for certificate ski:be9ebd64aa77c69dc3653c62d9405896fe546ab2 aki:797d88d813e20fff982cc7419e969baea6bfd69b: Certificate end of validity: 2021-08-26 07:58:47 +0000 UTC is before: 2021-10-26 17:54:01.517023988 +0000 UTC"
Oct 27 04:54:41 rpki01 f57670700d60[1246]: time="2021-10-26T17:54:41Z" level=error msg="expiration issue for certificate ski:f54618c9a2a7b6e0dcdcd1d6329206ddab19dde1 aki:797d88d813e20fff982cc7419e969baea6bfd69b: Certificate end of validity: 2021-08-26 07:58:12 +0000 UTC is before: 2021-10-26 17:54:01.517023988 +0000 UTC"
Oct 27 04:57:33 rpki01 f57670700d60[1246]: time="2021-10-26T17:57:33Z" level=error msg="revocation due to manifest issue for certificate ski:5d35939557110cc43429ae301f7cef0e5889942b aki:0e65a4f5fd36b5bd68eb3c923408978c907aa79f"
Oct 27 04:57:33 rpki01 f57670700d60[1246]: time="2021-10-26T17:57:33Z" level=error msg="parent issue for certificate ski:408d4ce1b008c186db6933dbf9ee9e175e07030c aki:5d35939557110cc43429ae301f7cef0e5889942b: missing parent"
Oct 27 04:57:33 rpki01 f57670700d60[1246]: time="2021-10-26T17:57:33Z" level=error msg="revocation due to manifest issue for certificate ski:5d35939557110cc43429ae301f7cef0e5889942b aki:0e65a4f5fd36b5bd68eb3c923408978c907aa79f"
Oct 27 04:57:33 rpki01 f57670700d60[1246]: time="2021-10-26T17:57:33Z" level=error msg=""
Oct 27 05:07:21 rpki01 f57670700d60[1246]: time="2021-10-26T18:07:21Z" level=error msg="expiration issue for certificate ski:5b2576145345854e2fa3c5456230e6d834186699 aki:47ca36b68f7ebb87a8e744a7072f9e3d860263a1: Certificate end of validity: 2021-06-18 16:21:00 +0000 UTC is before: 2021-10-26 18:01:50.898144585 +0000 UTC"
Oct 27 05:07:21 rpki01 f57670700d60[1246]: time="2021-10-26T18:07:21Z" level=error msg="revocation due to manifest issue for certificate ski:fa048af3ea62e5575b4698c5cc2403982893f0c5 aki:721e5b49438ec0c95d40798ba788778fa954cb3a"
……
……
Oct 27 05:18:43 rpki01 f57670700d60[1246]: time="2021-10-26T18:18:43Z" level=error msg="revocation due to manifest issue for certificate ski:7ea5316dbdac01cd05d0eaa05a89c04da3e7398f aki:2a94a8dd554ae701072099c70b6407555ddde669"
Oct 27 05:18:43 rpki01 f57670700d60[1246]: time="2021-10-26T18:18:43Z" level=error msg="parent issue for certificate ski:d885844510c0c353cbdf685184804d1b970632e8 aki:7ea5316dbdac01cd05d0eaa05a89c04da3e7398f: missing parent"
Oct 27 05:18:43 rpki01 f57670700d60[1246]: time="2021-10-26T18:18:43Z" level=error msg="revocation due to manifest issue for certificate ski:7ea5316dbdac01cd05d0eaa05a89c04da3e7398f aki:2a94a8dd554ae701072099c70b6407555ddde669"
Oct 27 05:18:43 rpki01 f57670700d60[1246]: time="2021-10-26T18:18:43Z" level=error msg="parent issue for certificate ski:9efc117bc3c7ebb263a2031b543cf3bf4e09a224 aki:7ea5316dbdac01cd05d0eaa05a89c04da3e7398f: missing parent"
……
…..
Oct 27 05:20:48 rpki01 f57670700d60[1246]: time="2021-10-26T18:20:48Z" level=info msg="Stable state. Revalidating in 20m0s"

Below mentioned line shows that the validator was in stable state after stable state it starts the validation -
Oct 27 04:30:57 rpki01 f57670700d60[1246]: time="2021-10-26T17:30:57Z" level=info msg="Stable state. Revalidating in 20m0s"
During the process of validation it starts getting the error parent issue for certificate ski:a737a17cf23ac890b4b67ca41eed6ee8cdaaeb1d aki:2bbfef195f7b4083df377b2ffbc77b50dd100ae3: missing parent. It took around 15 -20 mins to come out of it and then again it went in to validation state. So this error is basically increasing the processing time.
Oct 27 05:20:48 rpki01 f57670700d60[1246]: time="2021-10-26T18:20:48Z" level=info msg="Stable state. Revalidating in 20m0s"
So if we see the total time it’s around 50 mins.
I also ran the below command to check the stable state for validator(Cloudflare)

[email protected] prod]# grep -i 'Stable state' /var/log/messages
Oct 27 04:30:57 rpki01 f57670700d60[1246]: time="2021-10-26T17:30:57Z" level=info msg="Stable state. Revalidating in 20m0s"
Oct 27 05:20:48 rpki01 f57670700d60[1246]: time="2021-10-26T18:20:48Z" level=info msg="Stable state. Revalidating in 20m0s”

Please find the attached log file (detailed) from the ocrtorpki -
Cloudflare_log.txt

Problem

The codahale/hdrhistogram repo has been transferred under the github HdrHstogram umbrella with the help from the original author in Sept 2020 (new repo url https://github.com/HdrHistogram/hdrhistogram-go). The main reasons are to group all implementations under the same roof and to provide more active contribution from the community as the original repository was archived several years ago.

The dependency URL should be modified to point to the new repository URL. The tag "v0.9.0" was applied at the point of transfer and will reflect the exact code that was frozen in the original repository.

If you are using Go modules, you can update to the exact point of transfer using the @v0.9.0 tag in your go get command.

go mod edit -replace github.com/codahale/hdrhistogram=github.com/HdrHistogram/[email protected]

Performance Improvements

From the point of transfer, up until now (mon 16 aug 2021), we've released 3 versions that aim support the standard HdrHistogram serialization/exposition formats, and deeply improve READ performance.
We recommend to update to the latest version.

I am trying to integrate OctoRPKI to Grafana. It was integrated but noticed that there's no ROAS coming from ARIN. Please refer below for reference.

Your assistance and help would be much appreciated. Thank you.

Hi,

We're running octorpki on a couple of servers, and have found they are both getting hung up on a particular repo with network timeouts, and it stops processing of future requests.

We've got.. some sort of network issue reaching this repo, as it works from other places. For some reason our requests just time out every now and then. Regardless I would want octorpki to gracefully handle that sort of thing - there seems to be a lot of half baked rpki repos so I guess we want to be pretty robust dealing with those.

Below are some logs and relevant processes running. Notable is the rsync zombie process, I wonder if there's something odd going on here where rsync is forking unexpectedly so rsync timeout doesn't work like we'd hope, or something.

If I kill the rsync process (not the zombie) it moves on.

We're on centos 7.9, and I've included the rsync and octorpki versions below.

It looks like we should be upgrading to 1.3.0 anyway, so I'll get to doing that, but I don't see any changes which would be related to this issue.

Oct 20 11:21:31 ote-rpki-1 octorpki: time="2021-10-20T11:21:31+13:00" level=info msg="RRDP: Downloading root notification https://ca.rg.net/rrdp/notify.xml"
Oct 20 11:21:31 ote-rpki-1 octorpki: time="2021-10-20T11:21:31+13:00" level=info msg="RRDP sync https://ca.rg.net/rrdp/notify.xml"
Oct 20 11:21:33 ote-rpki-1 octorpki: time="2021-10-20T11:21:33+13:00" level=error msg="Error when processing https://ca.rg.net/rrdp/notify.xml (for rsync://ca.rg.net/rpki): error fetching for repo rrdp:https://ca.rg.net/rrdp/notify.xml (rsync:rsync://ca.rg.net/rpki): status is 404. Will add to rsync."
Oct 20 11:22:18 ote-rpki-1 octorpki: time="2021-10-20T11:22:18+13:00" level=info msg="RRDP: Downloading root notification https://cc.rg.net/rrdp/notify.xml"
Oct 20 11:22:18 ote-rpki-1 octorpki: time="2021-10-20T11:22:18+13:00" level=info msg="RRDP sync https://cc.rg.net/rrdp/notify.xml"
Oct 20 11:22:29 ote-rpki-1 octorpki: time="2021-10-20T11:22:29+13:00" level=error msg="Error when processing https://cc.rg.net/rrdp/notify.xml (for rsync://cc.rg.net/rpki): error fetching for repo rrdp:https://cc.rg.net/rrdp/notify.xml (rsync:rsync://cc.rg.net/rpki): Get \"https://cc.rg.net/rrdp/notify.xml\": net/http: TLS handshake timeout. Will add to rsync."
Oct 20 11:22:48 ote-rpki-1 octorpki: time="2021-10-20T11:22:48+13:00" level=info msg="RRDP: Downloading root notification https://cb.rg.net/rrdp/notify.xml"
Oct 20 11:22:48 ote-rpki-1 octorpki: time="2021-10-20T11:22:48+13:00" level=info msg="RRDP sync https://cb.rg.net/rrdp/notify.xml"
Oct 20 11:23:18 ote-rpki-1 octorpki: time="2021-10-20T11:23:18+13:00" level=error msg="Error when processing https://cb.rg.net/rrdp/notify.xml (for rsync://cb.rg.net/rpki): error fetching for repo rrdp:https://cb.rg.net/rrdp/notify.xml (rsync:rsync://cb.rg.net/rpki): Get \"https://cb.rg.net/rrdp/notify.xml\": dial tcp 147.28.0.46:443: i/o timeout. Will add to rsync."
Oct 20 11:23:39 ote-rpki-1 octorpki: time="2021-10-20T11:23:39+13:00" level=info msg="Rsync sync rsync://cb.rg.net/rpki"
Oct 20 11:25:47 ote-rpki-1 octorpki: time="2021-10-20T11:25:47+13:00" level=info msg="Rsync sync rsync://cc.rg.net/rpki"
Oct 20 11:25:47 ote-rpki-1 octorpki: time="2021-10-20T11:25:47+13:00" level=error msg="Error when processing cache/cb.rg.net/rpki (for {0xc00010e4d0}): exit status 10. Will add to rsync."
Oct 20 11:25:47 ote-rpki-1 octorpki: time="2021-10-20T11:25:47+13:00" level=error msg="rsync error: error in socket IO (code 10) at clientserver.c(125) [Receiver=3.1.2]"
Oct 20 11:25:47 ote-rpki-1 octorpki: time="2021-10-20T11:25:47+13:00" level=error msg="rsync: failed to connect to cb.rg.net (2001:418:1::46): Network is unreachable (101)"
Oct 20 11:25:47 ote-rpki-1 octorpki: time="2021-10-20T11:25:47+13:00" level=error msg="rsync: failed to connect to cb.rg.net (147.28.0.46): Connection timed out (110)"

octorpki 24723  0.0 52.3 3667600 2031876 ?     Ssl  Oct20   3:36 /usr/bin/octorpki -cache cache/ -cors.origins * -http.addr :8080 -http.cache -http.info /infos -http.metrics /metrics -loglevel info -manifest.use -mode server -output.roa output.json -output.sign -output.sign.key private.pem -output.sign.validity 1h -output.wait -refresh 20m -rrdp -rrdp.failover -rrdp.file rrdp.json -rsync.bin /usr/bin/rsync -rsync.timeout 20m -tal.root tals/afrnic.tal,tals/apnic.tal,tals/arin.tal,tals/lacnic.tal,tals/ripe.tal
octorpki  2068  0.0  0.0      0     0 ?        Z    Oct20   0:00  \_ [rsync] <defunct>
octorpki  2072  0.0  0.0 122504   336 ?        S    Oct20   0:00 /usr/bin/rsync -var rsync://cc.rg.net/rpki cache/cc.rg.net/rpki

[nward@ote-rpki-1 ~]$ rsync --version
rsync  version 3.1.2  protocol version 31
Copyright (C) 1996-2015 by Andrew Tridgell, Wayne Davison, and others.
Web site: http://rsync.samba.org/
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace,
    append, ACLs, xattrs, iconv, symtimes, prealloc

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.
[nward@ote-rpki-1 ~]$ octorpki --version
OctoRPKI v1.2.2 (2020-12-09T20:04:56+0000)

When upgrading from 1.3.0 to 1.4.2 on an Ubuntu Server 18.04 I got the following errors:

`+ adduser --system --home /var/lib/octorpki --shell /usr/sbin/nologin --disable-login --group octorpki
Unknown option: disable-login
adduser [--home DIR] [--shell SHELL] [--no-create-home] [--uid ID]
[--firstuid ID] [--lastuid ID] [--gecos GECOS] [--ingroup GROUP | --gid ID]
[--disabled-password] [--disabled-login] [--add_extra_groups]
[--encrypt-home] USER
Add a normal user

adduser --system [--home DIR] [--shell SHELL] [--no-create-home] [--uid ID]
[--gecos GECOS] [--group | --ingroup GROUP | --gid ID] [--disabled-password]
[--disabled-login] [--add_extra_groups] USER
Add a system user

adduser --group [--gid ID] GROUP
addgroup [--gid ID] GROUP
Add a user group

addgroup --system [--gid ID] GROUP
Add a system group

adduser USER GROUP
Add an existing user to an existing group

general options:
--quiet | -q don't give process information to stdout
--force-badname allow usernames which do not match the
NAME_REGEX[_SYSTEM] configuration variable
--extrausers uses extra users as the database
--help | -h usage message
--version | -v version number and copyright
--conf | -c FILE use FILE as configuration file
`
I created the user without the --disable-login option but that was not enough, the service wouldn't come up. After a little debugging I found that the unit file was still trying to run the service as root.

I also had to edit /etc/systemd/system/multi-user.target.wants/octorpki.service and change

User=root
to
User=octorpki

and at last, change the owner of /srv/cache and tals to the new user: octorpki

Let me know if you can reproduce any of this or if you need more info / tests to be performed.

Hi,

Would you be so kind to advise what these errors are about and how to resolve them? Are they expected?

Jul 08 09:41:48 xxx octorpki[25437]: time="2020-07-08T09:41:48+02:00" level=error msg="Error when processing https://rpkica.mckay.com/rrdp/notify.xml (for rsync://rpkica.mckay.com/rpki/MCnet/): Fetching error: Get https://rpkica.mckay.com/rrdp/notify.xml: x509: certificate signed by unknown authority. Will add to rsync."
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error exploring file: open cache/rpki.cnnic.cn/rpki/A9162E3D0000/73/CfUv1bVUg5EXd8PcpEpl08lfhYA.mft: no such file or directory"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error exploring file: open cache/rpki.cnnic.cn/rpki/A9162E3D0000/643/PgsdlIaQ7Nxy4-Rg5eY-3pU8JOg.mft: no such file or directory"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error exploring file: open cache/rpki.cnnic.cn/rpki/A9162E3D0000/423/Xb2Ek-hXQR0lkZ2GO7t9n_zfQCY.mft: no such file or directory"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource HCA8w1r7tOjORLbFUIT2dgPwbNE.roa: Certificate was revoked by issuer 1c203cc35afbb4e8ce44b6c55084f67603f06cd1"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource I4H8sMngqZ2Zy-SwjFrX1rxaW1s.roa: Certificate was revoked by issuer 2381fcb0c9e0a99d99cbe4b08c5ad7d6bc5a5b5b"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource O9PqoAj_WzgETD_1WF_9bOBHh0E.roa: Certificate was revoked by issuer 3bd3eaa008ff5b38044c3ff5585ffd6ce0478741"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource OvLhPkEnHO_zJk5Wu0H9pSKWm5k.roa: Certificate was revoked by issuer 3af2e13e41271ceff3264e56bb41fda522969b99"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource aET8SccSusg_odabkY5k2oHFoNs.roa: Certificate was revoked by issuer 6844fc49c712bac83fa1d69b918e64da81c5a0db"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource beRcMl46Qsx8jDL5WyPT5Mh9yuU.roa: Certificate was revoked by issuer 6de45c325e3a42cc7c8c32f95b23d3e4c87dcae5"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource c590Zx7vUgKibBkMpQqjGX-wLwY.roa: Certificate was revoked by issuer 739f74671eef5202a26c190ca50aa3197fb02f06"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource pky2i1jkAIp2zsZSfhGKOBYIGW4.roa: Certificate was revoked by issuer a64cb68b58e4008a76cec6527e118a381608196e"
Jul 08 09:42:08 xxx octorpki[25437]: time="2020-07-08T09:42:08+02:00" level=error msg="Error adding Resource yiDl9SIs5EoV--4SfiNjC8jgo3A.roa: Certificate was revoked by issuer ca20e5f5222ce44a15fbee127e23630bc8e0a370"
Jul 08 09:42:20 xxx octorpki[25437]: time="2020-07-08T09:42:20+02:00" level=error msg="Error exploring file: open cache/rpkica.mckay.com/rpki/MCnet/UEh2SAvdIgPsUFdv92RSSaNqBnY.mft: no such file or directory"

I launch container w/ mounted volume to /tals but failed to fetch data from RIR.
Logging shown as following.

time="2019-07-14T17:00:26+07:00" level=info msg="Validator started"
time="2019-07-14T17:00:26+07:00" level=info msg="Serving HTTP on :8080/output.json"
time="2019-07-14T17:00:26+07:00" level=info msg="Got open tals/afrinic.tal: no such file or directory but repository not yet synchronized"
time="2019-07-14T17:00:26+07:00" level=info msg="Got open tals/apnic.tal: no such file or directory but repository not yet synchronized"
time="2019-07-14T17:00:26+07:00" level=info msg="Got open tals/arin.tal: no such file or directory but repository not yet synchronized"
time="2019-07-14T17:00:26+07:00" level=info msg="Got open tals/lacnic.tal: no such file or directory but repository not yet synchronized"
time="2019-07-14T17:00:26+07:00" level=info msg="Got open tals/ripe.tal: no such file or directory but repository not yet synchronized"
time="2019-07-14T17:00:26+07:00" level=info msg="Stable state. Revalidating in 20m0s"

I found that /tals/*.tal files are missing.

Please add VOLUME [ "/tals" ] in to Dockerfile and Dockerfile.prod

On running the tool for the first time, users are presented with a number of red "error" logs that are not really errors, such as:

INFO[0000] Validator started
ERRO[0000] open rrdp.json: no such file or directory
ERRO[0000] Error exploring file: open cache/rpki.afrinic.net/repository/AfriNIC.cer: no such file or directory
ERRO[0000] Error exploring file: open cache/rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer: no such file or directory
ERRO[0000] Error exploring file: open cache/rpki.arin.net/repository/arin-rpki-ta.cer: no such file or directory
ERRO[0000] Error exploring file: open cache/repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer: no such file or directory
ERRO[0000] Error exploring file: open cache/rpki.ripe.net/ta/ripe-ncc-ta.cer: no such file or directory
INFO[0000] Still exploring. Revalidating now
INFO[0000] Rsync sync rsync://rpki.arin.net/repository/arin-rpki-ta.cer
INFO[0001] Rsync sync rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer
INFO[0002] Rsync sync rsync://rpki.afrinic.net/repository/AfriNIC.cer
INFO[0004] Rsync sync rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
INFO[0007] Rsync sync rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer
ERRO[0010] Error exploring file: open cache/rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft: no such file or directory
ERRO[0010] Error exploring file: open cache/rpki.apnic.net/repository/838DB214166511E2B3BC286172FD1FF2/C5zKkN0Neoo3ZmsZIX_g2EA3t6I.mft: no such file or directory
ERRO[0010] Error exploring file: open cache/rpki.arin.net/repository/arin-rpki-ta/arin-rpki-ta.mft: no such file or directory
ERRO[0010] Error exploring file: open cache/repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.mft: no such file or directory
ERRO[0010] Error exploring file: open cache/rpki.ripe.net/repository/ripe-ncc-ta.mft: no such file or directory
INFO[0010] Still exploring. Revalidating now

As these files haven't been created yet (it's the first run) these really ought to be "info" priority, or "warning" at most. An error generally means something that is causing functionality to stop due to an unexpected issue that may not be able to be recovered from.

Would you consider changing these to a lower priority, and/or to change the message so that it indicates this is a recoverable state to be in?

Unable to start OctoRPKI service due to the below error:

root@octorpki:/home/octorpki# systemctl status octorpki
× octorpki.service - OctoRPKI
Loaded: loaded (/lib/systemd/system/octorpki.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2023-04-29 08:36:33 UTC; 1s ago
Process: 1891 ExecStart=/usr/bin/octorpki $OCTORPKI_ARGS (code=exited, status=1/FAILURE)
Main PID: 1891 (code=exited, status=1/FAILURE)
CPU: 15ms

Apr 29 08:36:33 octorpki systemd[1]: Started OctoRPKI.
Apr 29 08:36:33 octorpki octorpki[1891]: time="2023-04-29T08:36:33Z" level=info msg="Validator started"
Apr 29 08:36:33 octorpki octorpki[1891]: time="2023-04-29T08:36:33Z" level=fatal msg="Failed to create directories "cache/": mkdir cache/: permission denied"
Apr 29 08:36:33 octorpki systemd[1]: octorpki.service: Main process exited, code=exited, status=1/FAILURE
Apr 29 08:36:33 octorpki systemd[1]: octorpki.service: Failed with result 'exit-code'.

any recommendations to fix this? thank you.

Add sbgp-ipAddrBlock prefixes to slurm-style 'prefixfilter' when CA PP distrusted, so that missing ROAs in one part of the tree does not negatively affect BGP when the ROAs from the other side of the tree are used.

Similar thinking is done here NLnetLabs/routinator#319 (comment)

Draft forthcoming.

Is there a way to run octorpki like we can run rpki-client -n or routinator vrps -n?

In both tools the -n flag means to only do the validation step, and assume that the -cache /var/cache/rpki-client directory is fully populated

Hi,

I'm running octorpki for monitoring purposes and I've noticed that it fails to properly handle the situation where one delta cannot be processed (either because a hash mismatch or because it's not available on disk yet).

Both routinator and rpki-client fall back to using the last snapshot. However octorpki rejects the whole TA until a new session is created in the repository or one locally cleans up the cache.

Could you please also publish the v1.3.0 to docker hub? Currently latest ist v1.2.2

Per NLnetLabs/krill#125

RFC: https://tools.ietf.org/html/rfc8630#section-2.4

With the current default configuration of OctoRPKI it does not sucessfully fetch anything for LACNIC.

The current shipped file is different from the one on the LACNIC website: https://www.lacnic.net/4984/2/lacnic/rpki-rpki-trust-anchor

Hi,

I've noticed a problem when we use a proxy with the ENV variables (HTTP_PROXY & RSYNC_PROXY).
When the proxy doesn't work for some reason, OctoRPKI failed to fetch the TALs and turn in a stable state with revalidation in 20 minutes.

In the attached file is an example with a connection refused on the proxy (bad port configured intentionally on the ENV variables) : octorpki_proxyerror.log

Thanks!

Hi,
I am in the evaluation phase of different RPKI validator software provider. For the comparison of the results I use the metrics output. Regarding this I have some questions or feature requests:

Namespace
For monitoring different metrics with one prometheus instance it is necessary to identify the domain the metric belongs to. Please use a prefix (e.g. octorpki) as described here https://prometheus.io/docs/practices/naming/

Metric value "roas"
What does the "roas" metrics exactly stands for? Counting the roa files in the cache I get a number of 48869 files which is far away form the values in the roas metric output below.

It seems, that it is a counter for vrps (validated roas payload) which is a pair of asn/prefix/maxlength. If this is true, "octorpki_vrps_total{tal=''}" would make more sence.

Counting inaccuracy
Looking deeper in the results I have extracted the data from the json file and create a csv file with one vrps (asn/prefix/maxlength/ta) per line. Doing a line grep for each tal I get the following numbers which are little lower than the values in the metric file.

Convert oktorpki.json to octorpki.csv :
Line grep and count on octorpki.csv :
[afrinic] :  1359
[apnic]   :  49342
[arin]    :  15890
[lacnic]  :  10149
[ripe]    :  95403
-----------------

ROAs per TAL Info from octorpki.metrics file :
# HELP roas Bytes received by the application.
# TYPE roas gauge
roas{ta="AFRINIC"} 1375
roas{ta="APNIC"} 49110
roas{ta="ARIN"} 17978
roas{ta="LACNIC"} 11043
roas{ta="RIPE"} 95156
-----------------

It seems, that there are some duplicate vrps in the data when you create the metrics counter. To get the real number of vrps it would be nice to create an additional metric "octorpki_vrps_unique{tal=''"}

Regards, Frank

output.json generated by OctoRPKI is missing LACNIC. I see reports that other see the same issue (please see link below). https://rpki.cloudflare.com/?ohlcTa=LACNIC shows a recent issue. Can you shed some light on it?

https://www.mail-archive.com/[email protected]/msg112880.html

At the moment, the Dockerfile specifies a volume for the tals:

There shouldn't really be any need to specify this: If the user doesn't specify a mount at run-time, they end up with an anonymous container littering their system when nothing writes to these files during run-time.

Likewise, the rrdp.json file and cache/ directory are good candidates for making into volumes as these should really persist between container runs if possible. Personally, for testing I've been passing "-rrdp.file=/cache/rrdp.json" as a command option, and creating a "/cache" named volume so that data can persist.

Happy to share the (monstrosity that is my) docker-compose.yml file that I've been testing with, out of band, to show you how I've been handling the situation so far.

LACNIC has Manifests with very short expiries. It appears that OctoRPKI still considers these manifests valid, and keeps the prefixes contained within them, causing stale information.
eg, at time of writing: https://rpki.cloudflare.com/?view=explorer&prefix=2804%3A393c%3A8000%3A%3A%2F3

4

In a MITM scenario where an attacker intercepts and manipulates the rsync channel (for example strategically withholding certain .roa files from the view of the validator being attacked), the resulting set of VRPs will be incomplete and can cause severe operational issues. (Note that a MITM can trivially downgrade RPKI fetches from RRDP to rsync)

When a manifest is valid (manifest is parsable, CRL exists is valid (also not expired), and manifest is signed with keys not revoked by the CRL), and references files which do not exist in the repository at hand, the publication point should be considered compromised.

So in the case of APNIC where an End User (self-hosted) RPKI publication point misses a few .roa files, the validator can proceed to consider all data from all RPs it could reach eligeble for further validation, except any data from the publication point where files were missing.

In other words: if one or a few files are missing from the repository, the repository should be considered 'down', and no attempt should be made to start guessing what can be salvaged and what not.

I'm currently running tests with various validators, GETting JSON output and post-processing it. It would be very useful if the JSON output would be served with a Last-Modified header field, indicating the time when the last validation run finished.

(see also NLnetLabs/routinator#469)

After a single RRDP error the rrdp_errors metric increased to 1. However it did not recover on 0 on later, successful runs (as I would expect a gauge to do). This caused my alert to keep firing.

I see

# HELP rrdp_errors RRDP error count.
# TYPE rrdp_errors gauge
...
rrdp_errors{address="https://rrdp.ripe.net/notification.xml"} 1

While the log ends with

2021-07-16T09:40:37.483239000Z time="2021-07-16T09:40:37Z" level=info msg="RRDP sync https://rrdp.ripe.net/notification.xml"
2021-07-16T09:40:37.483515000Z time="2021-07-16T09:40:37Z" level=info msg="RRDP: Downloading root notification https://rrdp.ripe.net/notification.xml"
2021-07-16T09:40:37.511614000Z time="2021-07-16T09:40:37Z" level=info msg="RRDP: https://rrdp.ripe.net/notification.xml has 0 deltas to parse (cur: 4190, last: 4190)"

Where I do not see an RRDP error.

To be fair, this is a nit. But if this is really a counter I would prefer that type - I would have written an increase(...) alert instead.

Hello, was trying to start octorpki using the basic usage instructions in the readme. (I added the second line to copy the arin.tal into the tals folder)

$ mkdir tals && mkdir cache && touch cache/rrdp.json
$ cp arin-rfc7730.tal tals/arin.tal
$ chmod 770 -R tals && chmod 770 -R cache && chmod 770 cache/rrdp.json
$ docker run -ti --net=host -v $PWD/tals:/tals -v $PWD/cache:/cache -p 8080:8080 cloudflare/octorpki

Results in:

INFO[0000] Validator started
INFO[0000] Serving HTTP on :8080/output.json
INFO[0000] Got open tals/afrinic.tal: permission denied but repository not yet synchronized
INFO[0000] Got open tals/apnic.tal: permission denied but repository not yet synchronized
INFO[0000] Got open tals/arin.tal: permission denied but repository not yet synchronized
INFO[0000] Got open tals/lacnic.tal: permission denied but repository not yet synchronized
INFO[0000] Got open tals/ripe.tal: permission denied but repository not yet synchronized
INFO[0000] Stable state. Revalidating in 20m0s

Then I searched for other instructions and found this blog post:

https://blog.cloudflare.com/cloudflares-rpki-toolkit/

Which indicates:

$ docker run -ti \ -p 8080:8080 \ -v $PWD/cache:/cache \ -v path_to_arin_tal:/tals/arin.tal \ cloudflare/octorpki

(I changed path_to_arin_tal to /rpki/tals/arin.tal:

[drw@DrewVM rpki]# docker run -ti -p 8080:8080 -v /rpki/cache:/cache -v /rpki/tals/arin.tal:/tals/arin.tal cloudflare/octorpki

INFO[0000] Validator started
INFO[0000] Serving HTTP on :8080/output.json
INFO[0000] Got open cache/rpki.afrinic.net/repository/AfriNIC.cer: permission denied but repository not yet synchronized
INFO[0000] Got open cache/rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer: permission denied but repository not yet synchronized
INFO[0000] Got open cache/rpki.arin.net/repository/arin-rpki-ta.cer: permission denied but repository not yet synchronized
INFO[0000] Got open cache/repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer: permission denied but repository not yet synchronized
INFO[0000] Got open cache/rpki.ripe.net/ta/ripe-ncc-ta.cer: permission denied but repository not yet synchronized

I validated docker using hello world and ubuntu.. any ideas how to get this thing to start?

I would like to test octorpki using my own testbed tal created via krill but the software doesn't recognize my tal. It doesn't even throw any error messages. I compiled octorpki using https://github.com/cloudflare/cfrpki#compile . I adapted the source code to include my new custom TAL in RootTALs

	RootTAL       = flag.String("tal.root", "tals/afrinic.tal,tals/apnic.tal,tals/arin.tal,tals/lacnic.tal,tals/ripe.tal,tals/ta.tal", "List of TAL separated by comma")
	TALNames      = flag.String("tal.name", "AFRINIC,APNIC,ARIN,LACNIC,RIPE,TEST", "Name of the TALs")

I deleted the other TALs from the TAL folder so that I could observer what happens with my TAL but for every validation run I get the following logs.

time="2021-12-28T10:15:20+01:00" level=info msg="Validator started"
time="2021-12-28T10:15:20+01:00" level=info msg="Serving HTTP on :8081/output.json"
time="2021-12-28T10:15:20+01:00" level=info msg="Still exploring. Revalidating now"
time="2021-12-28T10:15:20+01:00" level=info msg="Stable state. Revalidating in 20m0s"

My TAL works and is accessible via Routinator but with Octorpki I cant make it work. Any suggestion would be very appreciated.

remove tals from gitignore.

Hi,

When analysing HTTP access logs for a RRDP endpoint I noticed that all records for OctoRPKI have the same User-Agent

df_cf[['User-Agent', 'time']].head(1000).groupby(['User-Agent']).count().to_markdown()

It seems like the User-Agent is statically set in octorpki.go:1236. As a user doing an analysis of the adoption of newer versions of relying party software, in the future, it would help me if this header contained an indication of the version of OctoRPKI in use.

Background

Repo github.com/cloudflare/cfrpki depends on github.com/cloudflare/[email protected].

https://github.com/cloudflare/cfrpki/blob/master/go.mod#L6

However, comparing version v0.14.7 of github.com/cloudflare/gortr from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
      "name": "Louis Poinsignon",
      "email": "[email protected]",
      "date": "2020-11-24T21:47:12Z"
    }

commit time of the copy on proxy.golang.org

{"Version":"v0.14.7","Time":"2020-11-23T23:41:09Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v0.14.7 tag of github.com/cloudflare/gortr might have been retagged after a minor edition on github. I guess you use proxy.golang.org to get dependencies, but that also shows that your project is depending on the copy of github.com/cloudflare/[email protected] before its edition. Depending upon such inconsistent tag version may also result in some unexpected errors as well as build errors due to different proxy settings.

For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/cloudflare/[email protected], the following error occurs.

go: downloading github.com/cloudflare/gortr v0.14.7
go: github.com/cloudflare/gortr@v0.14.7: verifying module: checksum mismatch
        downloaded: h1:YuSIN3f9tV0qDDeJhoY5cy9QcfAmfeis6K8MLSqiubs=
        sum.golang.org: h1:QlZRNa1O7heqgLk9ijwKtPigjzqvDHdPSwmSqSbiPaE=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

So, this is a reminder in the hope that you can get rid of this problematic version of project github.com/cloudflare/gortr.

Solution

1. Bump the version of dependency github.com/cloudflare/gortr

I would recommend bumping the version of github.com/cloudflare/gortr to a new release to ensure dependency copy in proxy.golang.org and github in sync.

References

• https://proxy.golang.org/

Yesterday, 2020-10-06, I pulled the new versions of the binary with:
go get -u github.com/cloudflare/cfrpki/cmd/octorpki
/infos returns with HTTP code 200 an a zero-byte json doc. /output.json and /metrics return fine. Running on CentOS 8.2:
cloudfl+ 169753 1 3 Oct06 ? 00:33:17 /opt/cloudflare/go/bin/octorpki -mode server -output.sign=false -http.addr :8080

Any ideas as t why?

I'm not sure how to best solve this, but by default you're using /output.json as output.roa which works for a Docker container in oneoff mode, and it works in server mode, but it doesn't work on most systems as it's going to try to write to disk at /.

I think it's probably best to change:

• https://github.com/cloudflare/cfrpki/blob/master/cmd/octorpki/octorpki.go#L755 to log.Infof("Serving HTTP on %v/%v", addr, path), and prepending a / to the Handlers if not already present (otherwise the server will return a 404).
• https://github.com/cloudflare/cfrpki/blob/master/cmd/octorpki/octorpki.go#L75 to Output = flag.String("output.roa", "output.json", "Output ROA file or URL")

That should mean that users will be able to run "oneoff" or "server" modes with the defaults without having to try different things via a process of trial and error.

Thoughts?

Hello folks,
more than an issue, a question.
We are running octo-rpki for a couple of months, and our monitoring system is warning us about RAM usage. We have a VM with 8GB of RAM + 1GB swap, and most of the time, the situation is this:

              total        used        free      shared  buff/cache   available
Mem:           8017        2952        4101           0         963        4966
Swap:          1023          30         993

But sometimes octo-rpki process starts using all the available memory: so the free memory is just few hundred MB and we get the alert. Is anyone having the same situation? Any hint?
We use:

 dpkg -l | grep RPKI
ii  gortr                                 0.11.4                                          amd64        GoRTR: a RPKI-to-Router server
ii  octorpki                              1.1.4                                           amd64        OctoRPKI: a RPKI validator

on Ubuntu 18.04.
Thanks!

Users no longer need to sign the ARIN Relying Party Agreement.

See https://www.arin.net/announcements/20220926/

Hi,

Would you be so kind to advise how to resolve the error with the ARIN TAL

Jul 08 09:06:47 xxx octorpki[23556]: time="2020-07-08T09:06:47+02:00" level=error msg="Error adding Resource tals/arin.tal: illegal base64 data at input byte 4"

I am attaching here the arin.tal with the .txt file extension (for GitHub to allow the upload)
arin.tal.txt

Hi, I am trying to understand why some ROAs appearing in OctoRPKI dataset but not in other validators. For example, <103.10.0.0/24, 24, 59083> is valid by OctoRPKI but neither RIPENCC validator nor Routinator has no this very ROA. 

Here is the response from routinator:

{
  "validated_route": {
    "route": {
      "origin_asn": "AS59083",
      "prefix": "103.10.0.0/24"
    },
    "validity": {
      "state": "not-found",
      "description": "No VRP Covers the Route Prefix",
      "VRPs": {
        "matched": [
        ],
        "unmatched_as": [
        ],
        "unmatched_length": [
        ]      }
    }
  }
}

Any idea why? Thanks!

Hi,

I am upgrading to 1.5.10, and note that the paths that are resolved for fetching certificates from RIRs are not quite right. In particular, mkdir is being called with cache/rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer, so the resulting file after rsync is cache/rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer/apnic-rpki-root-iana-origin.cer - which obviously is not what we want to happen. Same for other RIRs of course, APNIC was just an example here.

I note that there are recent changes around this - I am running 1.5.10 which should include these changes.

In #140 [1], I note that mustExtractFoldersPathFromRsyncURL was swapped out for mustExtractFilePathFromRsyncURL which I think is the cause of the issue here - though I suspect that it may have fixed a different issue when rsyncing a folder rather than a single file.

[1] https://github.com/cloudflare/cfrpki/pull/140/files#diff-f369afe0d4a19b68cd80c43aa46ae445147b43ea387c8019b93ad6888f79b200L557

I published a Ghostbusters Record RFC 6493, and suddenly octorpki lost visibility of all my .roa files. Now anyone can hijack my prefixes and cloudflare would believe those BGP updates! :-)

I understand that at this moment OctoRPKI does not support RFC 6493, but it should be noted that sha256 of the .gbr file matches what is listed on the .mft file, so there is cryptographic evidence that the CA intended the .gbr file to be there.

Additionally, ghostbuster records are not an unknown filetype as per IANA registry https://www.iana.org/assignments/rpki/rpki.xhtml

ERRO[0316] revocation due to manifest issue for certificate ski:4be2706ac16dc810b08cbeb400e17382b2c25a64 aki:2a94a8dd554ae701072099c70b6407555ddde669: Unknown file type
ERRO[0316] Unknown file type
ERRO[0316] revocation due to manifest issue for certificate ski:4be2706ac16dc810b08cbeb400e17382b2c25a64 aki:2a94a8dd554ae701072099c70b6407555ddde669

My suggestion would be to confirm the presence and hash of .gbr files with the manifest, but otherwise ignore those .gbr files, or alternatively to implement some form of support for 6493.

In comparison with other validators: rpki-client currently just ignores ghostbuster records (but does check completeness of the publication point using the manifest)

In case they need to be protected. (eg: Cloudflare Access)

When trying to run octorpki, it looks like it is choking on this file:

wu2-b8OX-KCC5qOjm3zOTSWbziE.cer.gz

ERRO[0002] Error adding Resource wu2-b8OX-KCC5qOjm3zOTSWbziE.cer: c2edbe6fc397f8a082e6a3a39b7cce4d259bce21 contains invalid IP addresses: [Min: 45.253.244.0 max: 45.253.255.255 61.29.240.0/20]

openssl shows:

% openssl x509 -inform DER -text -in ./cache/rpki.cnnic.cn/rpki/A9162E3D0000/wu2-b8OX-KCC5qOjm3zOTSWbziE.cer -noout
            sbgp-ipAddrBlock: critical
                IPv4:
                  45.253.244.0-45.253.255.255
                  61.29.240.0/20
                  103.64.24.0-103.64.127.255
                  103.64.140.0-103.64.147.255

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
(1) Location: validator/lib/tal.go:49;
Broken rule: SHA-1 is an insecure algorithm;
(2) Location: validator/lib/tal.go:125;
Broken rule: SHA-1 is an insecure algorithm;
(3) Location: validator/lib/cms.go:176;
Broken rule: RSASSA-PKCS1-v1_5 is deprecated;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

With go v1.12, modules are now enabled natively. This issue tracks the move to use go mod.

For testing purposes I will like to run the octorpki validator with only rsync and have rrdp disabled. To also minimize the testing I am doing I removed all tal except the one from ripe.

When I start the validaor with rrdp false, I get the following output

./octorpki -rrdp=false -refresh=10s
INFO[0000] Validator started                            
INFO[0000] Serving HTTP on :8080/output.json            
INFO[0000] Got open tals/afrinic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/apnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/arin.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/lacnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open cache/rpki.ripe.net/repository/ripe-ncc-ta.mft: no such file or directory but repository not yet synchronized 
INFO[0000] Still exploring. Revalidating now            
INFO[0000] Rsync sync rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer 
INFO[0000] Got open tals/afrinic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/apnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/arin.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open tals/lacnic.tal: no such file or directory but repository not yet synchronized 
INFO[0000] Got open cache/rpki.ripe.net/repository/ripe-ncc-ta.mft: no such file or directory but repository not yet synchronized 
INFO[0000] Stable state. Revalidating in 10s                        

If I do not turn rrdp off, lot more processing get's done, and I get a cache of the ripe repository...but now it just states Stable state and nothing happens...no cache is downloaded...

What may I be doing wrong?