Validation from self-signed TAL fails with error -22 (Invalid argument)

[ret2ldz]

Description

When running FORT validator in standalone mode with a locally generated, self-signed TAL (from a private RPKI CA such as Krill), validation fails with error code -22 (Invalid argument).
All URIs in the TAL (HTTPS and rsync) are reachable locally, but FORT rejects the TAL and discards all validation results.

---

when i run:
ldz@ldz-OMEN-by-HP-Gaming-Laptop-16-wf0xxx:~/Downloads/FORT-validator/src$ sudo ./fort --tal /home/ldz/TAL/ta.tal --output.roa /var/lib/krill/test/vrps/fort/vrps --log.level=debug --mode standalone

i meet:
Oct 20 10:46:56 ERR: /home/ldz/TAL/ta.tal: None of the URIs of the TAL '/home/ldz/TAL/ta.tal' yielded a successful traversal.
Oct 20 10:46:56 DBG: /home/ldz/TAL/ta.tal: Cleaning up old abandoned cache files.
Oct 20 10:46:56 DBG: /home/ldz/TAL/ta.tal: Node exists but file doesn't: /tmp/fort/repository/ta.tal/https/localhost:3000/rrdp/4e4d774c-a78a-4ecc-9a33-3d8cd9386b54/11/10171f08db645026/snapshot.xml
Oct 20 10:46:56 DBG: /home/ldz/TAL/ta.tal: Cleaning up unknown cache files.
Oct 20 10:46:56 DBG: The ta.tal tree took 0 seconds.
Oct 20 10:46:56 WRN: Validation from TAL '/home/ldz/TAL/ta.tal' yielded error -22 (Invalid argument); discarding all validation results.
Oct 20 10:46:56 INF: Validation finished:
Oct 20 10:46:56 INF: - Valid ROAs: 0
Oct 20 10:46:56 INF: - Valid Router Keys: 0
Oct 20 10:46:56 INF: - Real execution time: 0s
Oct 20 10:46:56 ERR: Validation unsuccessful; results unusable.

and here is my ta file content below:
ldz@ldz-OMEN-by-HP-Gaming-Laptop-16-wf0xxx:~/Downloads$ cat /home/ldz/TAL/ta.tal
https://localhost:3000/ta/ta.cer
rsync://localhost/ta/ta.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukHdrDT48HOIfIf855BM
vwKRdA8yJ9/QmxqdDihDbYkfHUH+PwyUK5Ya1IhXntw3e1X90JIYax51FgazXwLA
CZ5lorskG6xsUK1x/r3cxTIDzWuRAeemVoxG9oiZ2XBB/F76+rsCJqfzUYv1Vdau
xHU/++LX4koZnPw5LtnbOQAZBJXTRcVF4WcKQoMhCUlFYWIBPOiVLfHxlsakQjbr
JBFjqnMr84NJ99AteLxvg7JIiaIn9vsr4DChi2/8KXGLs7MeuR2oQS1XarzSSWPQ
em5vKDD2uOPaJhMwznAwVzTXHvshyOdpHpiKBCaFKGVh25O4fH6cS6pq++k0F7tQ
wQIDAQAB

---

I can access localhost:3000 and successfully download the corresponding ta.cer and other files.
I’m really curious about where exactly the problem occurs.

[ydahhrk]

Works for me.

sudo ./fort --tal /home/ldz/TAL/ta.tal --output.roa /var/lib/krill/test/vrps/fort/vrps --log.level=debug --mode standalone

Two things:

• Try adding --validation-log.enabled=true to get validation error messages.
• sudo does not belong there! RPs are not supposed to be run with elevated privileges; please get rid of it ASAP!

It occurs to me that sudo might be affecting the environment Fort lives in? Like maybe you installed the certificate for the current user, and root doesn't have it?