subject:"\[tor\-relays\] keypair does not match its older value"

Re: [tor-relays] keypair does not match its older value

2017-06-21 Thread Alexander Nasonov

nusenu wrote:
> Alexander Nasonov:
> > Hi,
> > 
> > I tried moving a tor relay with offline master key to a new host but
> > something went wrong and it printed several warnings:
> > 
> > http status 400 ("Looks like your keypair does not match its older value.") 
> > response from dirserver
> 
> To avoid that in the future you should certainly automate as much as
> possible to make all steps reproducible and less error prone.

Automate what? I already run a cron job that uploads signing keys.
I don't want anything more complicated than few lines in cron.

What's missing is a good operational guide.

Alex


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] keypair does not match its older value

2017-06-21 Thread nusenu



Alexander Nasonov:
> Hi,
> 
> I tried moving a tor relay with offline master key to a new host but
> something went wrong and it printed several warnings:
> 
> http status 400 ("Looks like your keypair does not match its older value.") 
> response from dirserver

To avoid that in the future you should certainly automate as much as
possible to make all steps reproducible and less error prone.




-- 
https://mastodon.social/@nusenu
https://twitter.com/nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] keypair does not match its older value

2017-06-20 Thread teor


> On 21 Jun 2017, at 08:25, Alexander Nasonov  wrote:
> 
> Roger Dingledine wrote:
>> On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
>>> I tried moving a tor relay with offline master key to a new host but
>>> something went wrong and it printed several warnings:
>>> 
>>> http status 400 ("Looks like your keypair does not match its older value.") 
>>> response from dirserver
>> 
>> This complaint happens when in the past you ran the relay with a given
>> RSA identity key and ED identity key, and now one of them has changed.
> 
> Indeed, that instance used to run with RSA key.
> 
>> Either move back to both of the original identity keys, or discard both
>> identity keys and start fresh.
> 
> I started fresh.

You need to start both your RSA and ED identity keys fresh at the same
time. You can not re-use any previous keys of any type with a new key.

Or you must re-use a pair of RSA and ED identity keys that were first
used together.

T
--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org




signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] keypair does not match its older value

2017-06-20 Thread Alexander Nasonov

Hi Roger,

Roger Dingledine wrote:
> On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
> > I tried moving a tor relay with offline master key to a new host but
> > something went wrong and it printed several warnings:
> > 
> > http status 400 ("Looks like your keypair does not match its older value.") 
> > response from dirserver
> 
> This complaint happens when in the past you ran the relay with a given
> RSA identity key and ED identity key, and now one of them has changed.

Indeed, that instance used to run with RSA key.

> Either move back to both of the original identity keys, or discard both
> identity keys and start fresh.

I started fresh.

> In theory (i.e. assuming no surprising bugs), updating your signing key
> should not be relevant here.

So, uploading a new signing key a bit early shouldn't be a problem,
right? In this case, I can change '1 month' to '33 days' in my cron.

Many thanks to your help!

-- 
Alex
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] keypair does not match its older value

2017-06-20 Thread Roger Dingledine

On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
> I tried moving a tor relay with offline master key to a new host but
> something went wrong and it printed several warnings:
> 
> http status 400 ("Looks like your keypair does not match its older value.") 
> response from dirserver

This complaint happens when in the past you ran the relay with a given
RSA identity key and ED identity key, and now one of them has changed.

> What did I screw up and how to fix this problem if it happends again?

Either move back to both of the original identity keys, or discard both
identity keys and start fresh.

> I suspect it will happen again because I generate a new signing key more
> frequently than necessary. I create '15 days' key every week and upload
> it (over onion ssh connection). This scheme should be resistant to
> occasional upload failures but it's not clear which of the last three
> signing keys to use on restart. If passing the wrong key can bring down
> the relay I need to switch to a different scheme.

In theory (i.e. assuming no surprising bugs), updating your signing key
should not be relevant here.

(Thanks for running a relay!)

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] keypair does not match its older value

2017-06-20 Thread Alexander Nasonov

Hi,

I tried moving a tor relay with offline master key to a new host but
something went wrong and it printed several warnings:

http status 400 ("Looks like your keypair does not match its older value.") 
response from dirserver

What did I screw up and how to fix this problem if it happends again?

I suspect it will happen again because I generate a new signing key more
frequently than necessary. I create '15 days' key every week and upload
it (over onion ssh connection). This scheme should be resistant to
occasional upload failures but it's not clear which of the last three
signing keys to use on restart. If passing the wrong key can bring down
the relay I need to switch to a different scheme.

I'm thinking about adding these commands to my crontab:

$ crontab -l
@weekly scp "${DESTDIR}/keys/ed25519_signing_cert" 
"${DESTDIR}/keys//ed25519_signing_secret_key" ${ONION:?}:
@monthly tor --hush --keygen --SigningKeyLifetime '1 month' "${DESTDIR:?}" && 
{{{scp command from the previous line}}}

Are there any potential problems with this approach (e.g. 28 days in Feb
vs 31 days in March)?

-- 
Alex
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] keypair does not match its older value

Re: [tor-relays] keypair does not match its older value

Re: [tor-relays] keypair does not match its older value

Re: [tor-relays] keypair does not match its older value

Re: [tor-relays] keypair does not match its older value

[tor-relays] keypair does not match its older value

6 matches

Site Navigation

Mail list logo

Footer information