You are here: Home > Get Support > Service and Security Announcements > Invalid RPKI Certificate Published

Invalid RPKI Certificate Published

Summary:
An issue with our RPKI software caused an invalid certificate to be published from 9.40-10:43 (UTC+1). As this resulted in outages, we strongly recommend that network operators update their Relying Party software to the latest version.

Details:
Some Relying Parties had configured their software implementations to reject all certificates in the manifest if a single entry was invalid. As a consequence, once the invalid certificates were published, all RPKI certificates covering resources issued/managed by the RIPE NCC were rejected by these validators during this period.

While RPKI is designed to "fail-open", an unrelated issue with some routers seems to have prevented this from happening, which resulted in outages.

Some Relying Parties have since updated their software to apply a less-strict approach in light of this issue (Routinator 0.8.2, Fort, rpki-client, and octorpki 1.2.2 are either unaffected or contain the updated interpretation). We have published an update to our own RIPE NCC RPKI Validator, which is currently in the Release Candidate (RC) environment. We plan to deploy this to production on 10 December.

The issue has been resolved. RPKI caught up with the state of the registry and validators can now see it. To prevent any futher issues, we recommend you upgrade to the following versions, or newer:

  • Routinator 0.8.2
  • rpki-client 6.8p1
  • FORT 1.4.2
  • octorpki 1.2.2
  • RIPE NCC 3.2-2020.12.10.13.57