[Nfd-dev] Question about /localhop/nfd/rib fib entry

[Junxiao Shi]

Hi John

The answer below assumes you have installed NFD via apt. You shouldn’t run into this problem if NFD is installed from source code and is started from the same user.

> I believe I have a valid certificate:
> 
> jdd at forest1:~$ ndnsec-list
> * /ndn/edu/wustl/jdd
> jdd at forest1:~$ ndnsec-list -c
> * /ndn/edu/wustl/jdd
>   +->* /ndn/edu/wustl/jdd/ksk-1499982053408
>        +->* /ndn/edu/wustl/KEY/jdd/ksk-1499982053408/ID-CERT/%FD%00%00%01%5D%3D%E6q%EC

This shows your user PIB, not NFD-RIB’s PIB under ‘ndn’ user in /var/lib/ndn/nfd directory.

Can you show the output of: sudo HOME=/var/lib/ndn/nfd -u ndn ndnsec list -c
The certificate needs to show up there so that it is accessible by NFD-RIB.

If it’s not there, export the certificate and private key from your user PIB and TPM, and import it into NFD-RIB’s PIB and TPM. See Let the World Reach Your NFD <https://yoursunny.com/t/2016/nfd-prefix/>, Where’s the Key Chain section for how to do that.
Another caveat I found recently is: sudo HOME=/var/lib/ndn/nfd -u ndn ndnsec get-default needs to show /localhost/daemons/nfd. Otherwise, NFD-RIB would sign FIB update commands with a different certificate, and NFD would reject them. The end result is: NFD-RIB would terminate itself when FIB updates fail, and systemd complains nfd.service is not starting correctly. In get-default says something, you can try to use set-default to fix it if the certificate is not lost yet, or just reinstall nfd package.

In my deployments, I prefix every command ndncert asks me to execute with sudo HOME=/var/lib/ndn/nfd -u ndn , to avoid this problem in the first place. I have sub-certificates for use in user accounts.

Yours, Junxiao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20170713/4ef72b64/attachment.html>