Issuer certificate not found even tough it is in cache ta folder

[fjahr]

Hi, I am using rpki-client to download ROAs to a cache dir using the -d option. Lately, I ran into an issue due to the missing ARIN TAL. I can download the ARIN ROAs by providing the ARIN TAL with a -t and I also see the certificate in the ta folder in the cache dir. So this works as expected:

rpki-client -d /path/to/cache [-t /tal/files]

However, in the next step, I am validating the ROAs in the cache dir and it seems like the certificate in the ta folder is ignored. To make it explicit I run:

rpki-client -j -n -d /path/to/cache -P timestamp -f /roa/in/cache

I have also tried to pass the TAL as a -t to the validation command above but in both cases all the ARIN ROAs have the same error:

	"validation": "Failed",
	"error": "unable to get local issuer certificate"

I would have expected rpki-client to use the certificates in the ta folder if a cache dir is provided and it contains a ta folder with certificates. If there is another way or I misunderstood something it would be great to know the correct way to deal with this. I guess moving the ARIN to the /etc/rpki/ folder on the user's system would be a possible fix but I would prefer it if I could keep the data used self-contained (all in the cache dir) and make it explicit where the file is that is used, just like I do with -t.

FWIW, the project is Kartograf and the file that contains the rpki-client usage is here: https://github.com/fjahr/kartograf/blob/master/kartograf/rpki/fetch.py

Thanks a lot!

[fjahr]

And just in case there is no other way to get this done, let me ask this already as a follow-up: Is there a way to get the default TAL directory that is configured during install from rpki-client? Thanks!

[botovq]

The documentation could perhaps make this a bit more explicit: rpki-client assumes that it owns the entire cache dir and it will delete the TALs you downloaded into it. It will then fall back to the system-wide installed TALs and fail to find the arin.tal, which we can't install due to politics.

If you make two subdirectories of your context.data_dir_rpki, one for the tals, and one for the cache, that should fix your issue. However, due to the way the trust anchors are found in filemode, you will need to pass the path to the arin.tal (and probably best to all the TALs) explicitly.

And no, as far as I know, there is currently no way to find the system-configured TAL directory from running the executable.

[fjahr]

@botovq Right, I just noticed that the TAL files are gone and wondered about that. Give me a day to see if this works and then I will close this ASAP. Thanks a lot!

[cjeker]

Also the ta files are the trust anchors which are validated using the tal. By design the tal have to live outside of the cache directory in a place that ideally can't be modified by rpki-client. These files are the anchor of the RPKI system and require special care. This is why in OpenBSD the TALs are located in /etc/rpki and are owned by root.

[fjahr]

Thanks a lot, @botovq @cjeker for clarifying. It seems it works now when I keep the tals folder outside of the cache and use them explicitly in file mode.