Hi,
I tried moving a tor relay with offline master key to a new host but something went wrong and it printed several warnings:
http status 400 ("Looks like your keypair does not match its older value.") response from dirserver
What did I screw up and how to fix this problem if it happends again?
I suspect it will happen again because I generate a new signing key more frequently than necessary. I create '15 days' key every week and upload it (over onion ssh connection). This scheme should be resistant to occasional upload failures but it's not clear which of the last three signing keys to use on restart. If passing the wrong key can bring down the relay I need to switch to a different scheme.
I'm thinking about adding these commands to my crontab:
$ crontab -l @weekly scp "${DESTDIR}/keys/ed25519_signing_cert" "${DESTDIR}/keys//ed25519_signing_secret_key" ${ONION:?}: @monthly tor --hush --keygen --SigningKeyLifetime '1 month' "${DESTDIR:?}" && {{{scp command from the previous line}}}
Are there any potential problems with this approach (e.g. 28 days in Feb vs 31 days in March)?
On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
I tried moving a tor relay with offline master key to a new host but something went wrong and it printed several warnings:
http status 400 ("Looks like your keypair does not match its older value.") response from dirserver
This complaint happens when in the past you ran the relay with a given RSA identity key and ED identity key, and now one of them has changed.
What did I screw up and how to fix this problem if it happends again?
Either move back to both of the original identity keys, or discard both identity keys and start fresh.
I suspect it will happen again because I generate a new signing key more frequently than necessary. I create '15 days' key every week and upload it (over onion ssh connection). This scheme should be resistant to occasional upload failures but it's not clear which of the last three signing keys to use on restart. If passing the wrong key can bring down the relay I need to switch to a different scheme.
In theory (i.e. assuming no surprising bugs), updating your signing key should not be relevant here.
(Thanks for running a relay!)
--Roger
Hi Roger,
Roger Dingledine wrote:
On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
I tried moving a tor relay with offline master key to a new host but something went wrong and it printed several warnings:
http status 400 ("Looks like your keypair does not match its older value.") response from dirserver
This complaint happens when in the past you ran the relay with a given RSA identity key and ED identity key, and now one of them has changed.
Indeed, that instance used to run with RSA key.
Either move back to both of the original identity keys, or discard both identity keys and start fresh.
I started fresh.
In theory (i.e. assuming no surprising bugs), updating your signing key should not be relevant here.
So, uploading a new signing key a bit early shouldn't be a problem, right? In this case, I can change '1 month' to '33 days' in my cron.
Many thanks to your help!
On 21 Jun 2017, at 08:25, Alexander Nasonov alnsn@yandex.ru wrote:
Roger Dingledine wrote:
On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
I tried moving a tor relay with offline master key to a new host but something went wrong and it printed several warnings:
http status 400 ("Looks like your keypair does not match its older value.") response from dirserver
This complaint happens when in the past you ran the relay with a given RSA identity key and ED identity key, and now one of them has changed.
Indeed, that instance used to run with RSA key.
Either move back to both of the original identity keys, or discard both identity keys and start fresh.
I started fresh.
You need to start both your RSA and ED identity keys fresh at the same time. You can not re-use any previous keys of any type with a new key.
Or you must re-use a pair of RSA and ED identity keys that were first used together.
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Alexander Nasonov:
Hi,
I tried moving a tor relay with offline master key to a new host but something went wrong and it printed several warnings:
http status 400 ("Looks like your keypair does not match its older value.") response from dirserver
To avoid that in the future you should certainly automate as much as possible to make all steps reproducible and less error prone.
nusenu wrote:
Alexander Nasonov:
Hi,
I tried moving a tor relay with offline master key to a new host but something went wrong and it printed several warnings:
http status 400 ("Looks like your keypair does not match its older value.") response from dirserver
To avoid that in the future you should certainly automate as much as possible to make all steps reproducible and less error prone.
Automate what? I already run a cron job that uploads signing keys. I don't want anything more complicated than few lines in cron.
What's missing is a good operational guide.
Alex
tor-relays@lists.torproject.org
-
Alexander Nasonov -
nusenu -
Roger Dingledine -
teor