Routinator with lab TAL fails to snyc via RRDP

I am working though a lab install. I have the TA and online CA installed along with one child CA. There is a separate publisher and repository server for the child CA. (using nginx & rsync)

When I configure Routinator with the TAL, I keep getting these errors related to rrdp, it is succeeding to sync over rsync.

If I tail the nginx logs on the repository server when restarting the Routinator service I don’t even see it attempting to connect via rrdp. Not sure what I am doing wrong.

I have debug and –log-repository-issues configured but this is the only detail I receive.

(I had to replace https with [https] and rsync with [rsync] to get past an error with the form submission)

2026-03-21T23:43:06.410482-04:00 rpkirelay01 routinator[5967]: Starting a validation run.
2026-03-21T23:43:06.410548-04:00 rpkirelay01 routinator[5967]: Using the following TALs:
2026-03-21T23:43:06.410591-04:00 rpkirelay01 routinator[5967]: * ta
2026-03-21T23:43:06.416417-04:00 rpkirelay01 routinator[5967]: [rsync] [rsync]://rpkica01.lab.local/ta/: running command Command { std: “[rsync]” “–no-motd” “-z” “–contimeout=10” “–max-size=20000000” “-rtO” “–delete” “[rsync]://rpkica01.lab.local/ta/” “/var/lib/routinator/rpki-cache/[rsync]/rpkica01.lab.local/ta/”, kill_on_drop: false }
2026-03-21T23:43:06.537181-04:00 rpkirelay01 routinator[5967]: Found valid trust anchor [rsync]://rpkica01.lab.local/ta/ta.cer. Processing.
2026-03-21T23:43:06.542184-04:00 rpkirelay01 routinator[5967]: RRDP [https]://rpkica01.lab.local/rrdp/notification.xml: error sending request for url ([https]://rpkica01.lab.local/rrdp/notification.xml) (client error (Connect))
2026-03-21T23:43:06.542274-04:00 rpkirelay01 routinator[5967]: RRDP [https]://rpkica01.lab.local/rrdp/notification.xml: Update failed and there is no current copy.
2026-03-21T23:43:06.542337-04:00 rpkirelay01 routinator[5967]: [rsync] [rsync]://rpkica01.lab.local/repo/: running command Command { std: “[rsync]” “–no-motd” “-z” “–contimeout=10” “–max-size=20000000” “-rtO” “–delete” “[rsync]://rpkica01.lab.local/repo/” “/var/lib/routinator/rpki-cache/[rsync]/rpkica01.lab.local/repo/”, kill_on_drop: false }
2026-03-21T23:43:06.664501-04:00 rpkirelay01 routinator[5967]: RRDP [https]://rpki01.lab.local/rrdp/notification.xml: error sending request for url ([https]://rpki01.lab.local/rrdp/notification.xml) (client error (Connect))
2026-03-21T23:43:06.664676-04:00 rpkirelay01 routinator[5967]: RRDP [https]://rpki01.lab.local/rrdp/notification.xml: Update failed and there is no current copy.
2026-03-21T23:43:06.664740-04:00 rpkirelay01 routinator[5967]: [rsync] [rsync]://rpki01.lab.local/repo/: running command Command { std: “[rsync]” “–no-motd” “-z” “–contimeout=10” “–max-size=20000000” “-rtO” “–delete” “[rsync]://rpki01.lab.local/repo/” “/var/lib/routinator/rpki-cache/[rsync]/rpki01.lab.local/repo/”, kill_on_drop: false }
2026-03-21T23:43:06.781240-04:00 rpkirelay01 routinator[5967]: Validation completed in 0 seconds.
2026-03-21T23:43:06.781359-04:00 rpkirelay01 routinator[5967]: Summary at 2026-03-22 03:43:06.409836875 UTC
2026-03-21T23:43:06.781424-04:00 rpkirelay01 routinator[5967]: ta:
2026-03-21T23:43:06.781476-04:00 rpkirelay01 routinator[5967]: ROAs: 1 verified;
2026-03-21T23:43:06.781559-04:00 rpkirelay01 routinator[5967]: VRPs: 1 verified, 1 final;
2026-03-21T23:43:06.781607-04:00 rpkirelay01 routinator[5967]: router certs: 0 verified;
2026-03-21T23:43:06.781788-04:00 rpkirelay01 routinator[5967]: router keys: 0 verified, 0 final;
2026-03-21T23:43:06.781856-04:00 rpkirelay01 routinator[5967]: ASPAs: 0 verified, 0 final;
2026-03-21T23:43:06.781904-04:00 rpkirelay01 routinator[5967]: total:
2026-03-21T23:43:06.782050-04:00 rpkirelay01 routinator[5967]: ROAs: 1 verified;
2026-03-21T23:43:06.782130-04:00 rpkirelay01 routinator[5967]: VRPs: 1 verified, 1 final;
2026-03-21T23:43:06.782184-04:00 rpkirelay01 routinator[5967]: router certs: 0 verified;
2026-03-21T23:43:06.782240-04:00 rpkirelay01 routinator[5967]: router keys: 0 verified, 0 final;
2026-03-21T23:43:06.782287-04:00 rpkirelay01 routinator[5967]: ASPAs: 0 verified, 0 final;
2026-03-21T23:43:06.782338-04:00 rpkirelay01 routinator[5967]: New serial is 0.
2026-03-21T23:43:06.782391-04:00 rpkirelay01 routinator[5967]: Next validation run scheduled in 600 seconds

I’m assuming that rpkica01.lab.local uses a self-signed certificate? If so, you also need to also add your own root cert using `–rrdp-root-cert`, or else it will be rejected.

Yes, I generated a self-signed certificate using Openssl, updated the nginx config file

ssl_certificate /var/lib/krill/data/ssl/rpkica01-cert.pem;ssl_certificate_key /var/lib/krill/data/ssl/rpkica01-key.pem;

Restarted nginx service

Copied the certificate to the following directory I created on the routinator system /var/lib/routinator/root-ca/rpkica01-cert.pem"

Updated the /etc/routinator/routinator.conf file

repository-dir = “/var/lib/routinator/rpki-cache”rtr-listen = [“0.0.0.0:3323”]http-listen = [“0.0.0.0:80”]allow-dubious-hosts = truelog-repository-issues = truelog-level = “debug”rrdp-root-certs = [“/var/lib/routinator/root-ca/rpkica01-cert.pem”]

Still fails:

2026-03-23T09:41:29.286844-04:00 rpkirelay01 systemd[1]: Stopping routinator.service - Routinator 3000…2026-03-23T09:41:29.287682-04:00 rpkirelay01 systemd[1]: routinator.service: Deactivated successfully.2026-03-23T09:41:29.287755-04:00 rpkirelay01 systemd[1]: Stopped routinator.service - Routinator 3000.2026-03-23T09:41:29.297499-04:00 rpkirelay01 systemd[1]: Starting routinator.service - Routinator 3000…2026-03-23T09:41:29.336463-04:00 rpkirelay01 systemd[1]: Started routinator.service - Routinator 3000.2026-03-23T09:41:29.338338-04:00 rpkirelay01 routinator[15735]: Using config file /etc/routinator/routinator.conf.2026-03-23T09:41:29.343882-04:00 rpkirelay01 routinator[15735]: Starting a validation run.2026-03-23T09:41:29.343983-04:00 rpkirelay01 routinator[15735]: Using the following TALs:2026-03-23T09:41:29.344042-04:00 rpkirelay01 routinator[15735]: * ta2026-03-23T09:41:29.344146-04:00 rpkirelay01 routinator[15735]: Initial quick validation failed: no trust anchor for TAL ta.2026-03-23T09:41:29.344345-04:00 rpkirelay01 routinator[15735]: Retrying full validation run.2026-03-23T09:41:29.344432-04:00 rpkirelay01 routinator[15735]: Next validation run scheduled in 0 seconds2026-03-23T09:41:29.344499-04:00 rpkirelay01 routinator[15735]: Starting a validation run.2026-03-23T09:41:29.344558-04:00 rpkirelay01 routinator[15735]: Using the following TALs:2026-03-23T09:41:29.344622-04:00 rpkirelay01 routinator[15735]: * ta2026-03-23T09:41:29.349915-04:00 rpkirelay01 routinator[15735]: rsync rsync://rpkica01.lab.local/ta/: running command Command { std: “rsync” “–no-motd” “-z” “–contimeout=10” “–max-size=20000000” “-rtO” “–delete” “rsync://rpkica01.lab.local/ta/” “/var/lib/routinator/rpki-cache/rsync/rpkica01.lab.local/ta/”, kill_on_drop: false }2026-03-23T09:41:29.467318-04:00 rpkirelay01 routinator[15735]: Found valid trust anchor rsync://rpkica01.lab.local/ta/ta.cer. Processing.2026-03-23T09:41:29.472301-04:00 rpkirelay01 routinator[15735]: RRDP [https]://rpkica01.lab.local/rrdp/notification.xml: error sending request for url ([https]://rpkica01.lab.local/rrdp/notification.xml) (client error (Connect))2026-03-23T09:41:29.472397-04:00 rpkirelay01 routinator[15735]: RRDP [https]://rpkica01.lab.local/rrdp/notification.xml: Update failed and there is no current copy.2026-03-23T09:41:29.472452-04:00 rpkirelay01 routinator[15735]: [rysnc] [rysnc]://rpkica01.lab.local/repo/: running command Command { std: “[rysnc]” “–no-motd” “-z” “–contimeout=10” “–max-size=20000000” “-rtO” “–delete” “[rysnc]://rpkica01.lab.local/repo/” “/var/lib/routinator/rpki-cache/[rysnc]/rpkica01.lab.local/repo/”, kill_on_drop: false }2026-03-23T09:41:29.596441-04:00 rpkirelay01 routinator[15735]: RRDP [https]://rpki01.lab.local/rrdp/notification.xml: error sending request for url ([https]://rpki01.lab.local/rrdp/notification.xml) (client error (Connect))2026-03-23T09:41:29.596532-04:00 rpkirelay01 routinator[15735]: RRDP [https]://rpki01.lab.local/rrdp/notification.xml: Update failed and there is no current copy.2026-03-23T09:41:29.596632-04:00 rpkirelay01 routinator[15735]: [rysnc] [rysnc]://rpki01.lab.local/repo/: running command Command { std: “[rysnc]” “–no-motd” “-z” “–contimeout=10” “–max-size=20000000” “-rtO” “–delete” “[rysnc]://rpki01.lab.local/repo/” “/var/lib/routinator/rpki-cache/[rysnc]/rpki01.lab.local/repo/”, kill_on_drop: false }2026-03-23T09:41:29.713486-04:00 rpkirelay01 routinator[15735]: Validation completed in 0 seconds.2026-03-23T09:41:29.713594-04:00 rpkirelay01 routinator[15735]: Summary at 2026-03-23 13:41:29.344304920 UTC2026-03-23T09:41:29.713652-04:00 rpkirelay01 routinator[15735]: ta:2026-03-23T09:41:29.713706-04:00 rpkirelay01 routinator[15735]: ROAs: 1 verified;2026-03-23T09:41:29.713751-04:00 rpkirelay01 routinator[15735]: VRPs: 1 verified, 1 final;2026-03-23T09:41:29.713943-04:00 rpkirelay01 routinator[15735]: router certs: 0 verified;2026-03-23T09:41:29.714018-04:00 rpkirelay01 routinator[15735]: router keys: 0 verified, 0 final;2026-03-23T09:41:29.714084-04:00 rpkirelay01 routinator[15735]: ASPAs: 0 verified, 0 final;2026-03-23T09:41:29.714164-04:00 rpkirelay01 routinator[15735]: total:2026-03-23T09:41:29.714216-04:00 rpkirelay01 routinator[15735]: ROAs: 1 verified;2026-03-23T09:41:29.714271-04:00 rpkirelay01 routinator[15735]: VRPs: 1 verified, 1 final;2026-03-23T09:41:29.714320-04:00 rpkirelay01 routinator[15735]: router certs: 0 verified;2026-03-23T09:41:29.714410-04:00 rpkirelay01 routinator[15735]: router keys: 0 verified, 0 final;2026-03-23T09:41:29.714463-04:00 rpkirelay01 routinator[15735]: ASPAs: 0 verified, 0 final;2026-03-23T09:41:29.714519-04:00 rpkirelay01 routinator[15735]: New serial is 0.2026-03-23T09:41:29.714569-04:00 rpkirelay01 routinator[15735]: Sending out notifications.2026-03-23T09:41:29.714627-04:00 rpkirelay01 routinator[15735]: Next validation run scheduled in 600 seconds

I also added this certificate to the trust store as well (just in case)

sudo cp rpkica01-cert.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

Same issue.

I also tried using a certificate from my own internal CA and adding the root and subordinate CA certs to the routinator configuration file with the same results.

By default Routinator uses its own certificate store and not the system’s one (though when compiled with “native-tls” it should use the system certificate store). Are you sure the configuration for the rrdp-root-certs is correct? You can also set it in the config file with:

rrdp-root-certs = ["/a/b/c.cer", "/a/b/d.cer", ...]