Issuer certificate not found even tough it is in cache `ta` folder about rpki-client-portable HOT 5 CLOSED

And just in case there is no other way to get this done, let me ask this already as a follow-up: Is there a way to get the default TAL directory that is configured during install from rpki-client? Thanks!

from rpki-client-portable.

The documentation could perhaps make this a bit more explicit: rpki-client assumes that it owns the entire cache dir and it will delete the TALs you downloaded into it. It will then fall back to the system-wide installed TALs and fail to find the arin.tal, which we can't install due to politics.

If you make two subdirectories of your context.data_dir_rpki, one for the tals, and one for the cache, that should fix your issue. However, due to the way the trust anchors are found in filemode, you will need to pass the path to the arin.tal (and probably best to all the TALs) explicitly.

And no, as far as I know, there is currently no way to find the system-configured TAL directory from running the executable.

from rpki-client-portable.

@botovq Right, I just noticed that the TAL files are gone and wondered about that. Give me a day to see if this works and then I will close this ASAP. Thanks a lot!

from rpki-client-portable.

Also the ta files are the trust anchors which are validated using the tal. By design the tal have to live outside of the cache directory in a place that ideally can't be modified by rpki-client. These files are the anchor of the RPKI system and require special care. This is why in OpenBSD the TALs are located in /etc/rpki and are owned by root.

from rpki-client-portable.

Thanks a lot, @botovq @cjeker for clarifying. It seems it works now when I keep the tals folder outside of the cache and use them explicitly in file mode.

from rpki-client-portable.