<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi John</div><div class=""><br class=""></div><div class="">The answer below assumes you have installed NFD via apt. You shouldn’t run into this problem if NFD is installed from source code and is started from the same user.</div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">I believe I have a valid certificate:</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">jdd@forest1:~$ ndnsec-list</div>
<div class="">* /ndn/edu/wustl/jdd</div>
<div class="">jdd@forest1:~$ ndnsec-list -c</div>
<div class="">* /ndn/edu/wustl/jdd</div>
<div class=""> +->* /ndn/edu/wustl/jdd/ksk-1499982053408</div>
<div class=""> +->* /ndn/edu/wustl/KEY/jdd/ksk-1499982053408/ID-CERT/%FD%00%00%01%5D%3D%E6q%EC</div></div></div></div></blockquote><div><br class=""></div><div>This shows your user PIB, not NFD-RIB’s PIB under ‘ndn’ user in /var/lib/ndn/nfd directory.</div><div><br class=""></div><div>Can you show the output of: <font face="Courier New" class="">sudo HOME=/var/lib/ndn/nfd -u ndn ndnsec list -c</font></div><div>The certificate needs to show up there so that it is accessible by NFD-RIB.</div><div><br class=""></div><div>If it’s not there, export the certificate and private key from your user PIB and TPM, and import it into NFD-RIB’s PIB and TPM. See <a href="https://yoursunny.com/t/2016/nfd-prefix/" class="">Let the World Reach Your NFD</a>, Where’s the Key Chain section for how to do that.</div><div>Another caveat I found recently is: <span style="font-family: 'Courier New';" class="">sudo HOME=/var/lib/ndn/nfd -u ndn ndnsec get-default</span> needs to show /localhost/daemons/nfd. Otherwise, NFD-RIB would sign FIB update commands with a different certificate, and NFD would reject them. The end result is: NFD-RIB would terminate itself when FIB updates fail, and systemd complains nfd.service is not starting correctly. In get-default says something, you can try to use set-default to fix it if the certificate is not lost yet, or just reinstall nfd package.</div><div><br class=""></div><div>In my deployments, I prefix every command ndncert asks me to execute with <span style="font-family: 'Courier New';" class="">sudo HOME=/var/lib/ndn/nfd -u ndn</span> , to avoid this problem in the first place. I have sub-certificates for use in user accounts.</div><div><br class=""></div><div>Yours, Junxiao</div></div></body></html>