diff options
| -rw-r--r-- | myrpki/myrpki.conf | 18 | ||||
| -rw-r--r-- | myrpki/yamltest.py | 23 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 3 |
4 files changed, 24 insertions, 22 deletions
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf index d7161a5d..58ffae75 100644 --- a/myrpki/myrpki.conf +++ b/myrpki/myrpki.conf @@ -138,27 +138,27 @@ child-bpki-cert = bpki.myirbe/child.cer server-port = 4401 -rpki-root-dir = publication/localhost:4400/ -rpki-base-uri = rsync://localhost:4400/ -rpki-root-cert-uri = rsync://localhost:4400/rootd.cer +rpki-root-dir = publication/localhost:4400/wombat/ +rpki-base-uri = rsync://localhost:4400/wombat/ +rpki-root-cert-uri = rsync://localhost:4400/wombat/root.cer rpki-root-key = bpki.myirbe/ca.key -rpki-root-cert = bpki.myirbe/rpkiroot.cer +rpki-root-cert = publication/localhost:4400/wombat/root.cer rpki-subject-pkcs10 = rootd.subject.pkcs10 rpki-subject-lifetime = 30d -rpki-root-crl = Bandicoot.crl -rpki-root-manifest = Bandicoot.mnf +rpki-root-crl = root.crl +rpki-root-manifest = root.mnf -rpki-class-name = Wombat -rpki-subject-cert = Wombat.cer +rpki-class-name = wombat +rpki-subject-cert = wombat.cer [rpki_x509_extensions] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/Bandicoot.mnf +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/wombat/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/wombat/root.mnf sbgp-autonomousSysNum = critical,AS:0-4294967295 sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 certificatePolicies = critical, @rpki_certificate_policy diff --git a/myrpki/yamltest.py b/myrpki/yamltest.py index 3df6e0bc..ee32338a 100644 --- a/myrpki/yamltest.py +++ b/myrpki/yamltest.py @@ -81,7 +81,7 @@ prog_rootd = cleanpath(rpkid_dir, "rootd.py") prog_openssl = cleanpath(this_dir, "../openssl/openssl/apps/openssl") -only_one_pubd = False +only_one_pubd = True class roa_request(object): """ @@ -396,13 +396,12 @@ class allocation(object): r["myirbe", "want_rootd"] = "true" if self.is_root() else "false" if self.is_root(): - r["rootd", "rpki-root-dir"] = "publication/localhost:%d/" % self.rsync_port - r["rootd", "rpki-base-uri"] = "rsync://localhost:%d/" % self.rsync_port - r["rootd", "rpki-root-cert-uri"] = "rsync://localhost:%d/rootd.cer" % self.rsync_port - r["rpki_x509_extensions", "subjectInfoAccess"] = ( - ("1.3.6.1.5.5.7.48.5;URI:rsync://localhost:%d/," - "1.3.6.1.5.5.7.48.10;URI:rsync://localhost:%d/Bandicoot.mnf") % - (self.rsync_port, self.rsync_port)) + root_path = "localhost:%d/%s" % (self.rsync_port, self.name) + r["rootd", "rpki-root-dir"] = "publication/%s/" % root_path + r["rootd", "rpki-base-uri"] = "rsync://%s/" % root_path + r["rootd", "rpki-root-cert"] = "publication/%s/root.cer" % root_path + r["rootd", "rpki-root-cert-uri"] = "rsync://%s/root.cer" % root_path + r["rpki_x509_extensions", "subjectInfoAccess"] = "1.3.6.1.5.5.7.48.5;URI:rsync://%s/,1.3.6.1.5.5.7.48.10;URI:rsync://%s/root.mnf" % (root_path, root_path) if self.runs_pubd(): r["pubd", "server-port"] = "%d" % self.pubd_port @@ -590,16 +589,18 @@ rootd_openssl("ca", "-notext", "-batch", "-out", "bpki.myirbe/child.cer", "-extensions", "ca_x509_ext_xcert0") +root_path = "publication/localhost:%d/%s/" % (db.root.rsync_port, db.root.name) + +os.makedirs(db.root.path(root_path)) + print "Creating rootd RPKI root certificate" rootd_openssl("x509", "-req", "-sha256", "-outform", "DER", "-signkey", "bpki.myirbe/ca.key", "-in", "bpki.myirbe/ca.req", - "-out", "bpki.myirbe/rpkiroot.cer", + "-out", "%s/root.cer" % root_path, "-extfile", "myrpki.conf", "-extensions", "rpki_x509_extensions") -os.makedirs(db.root.path("publication/localhost:%d" % db.root.rsync_port)) - # At this point we need to start a whole lotta daemons. progs = [] diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 92c0de37..4ee8e3b2 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -49,7 +49,7 @@ rpki_content_type = "application/x-rpki" debug_http = False # Verbose chatter about TLS certificates -debug_tls_certs = True +debug_tls_certs = False # Whether we want persistent HTTP streams, when peer also supports them want_persistent_client = True diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 3ee75a33..08dd4fe7 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -411,7 +411,8 @@ class self_elt(data_elt): def roa_requests_loop(iterator, roa_request): def lose(e): - rpki.log.traceback() + if not isinstance(e, rpki.exceptions.NoCoveringCertForROA): + rpki.log.traceback() rpki.log.warn("Could not update ROA %r, skipping: %s" % (roa, e)) iterator() |