[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] keypair does not match its older value

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] keypair does not match its older value
From: Alexander Nasonov <alnsn@xxxxxxxxx>
Date: Tue, 20 Jun 2017 23:04:31 +0100
Authentication-results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 20 Jun 2017 18:03:30 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1497996193; bh=O8mZ4B9Zvxx2zwcpIzOTc9M+SCs31Z1/LkiCwqzwZR4=; h=Date:From:To:Subject:Message-ID; b=e+O7ydTJR4BowM91P8M5w0RfUF7ezu/MTQ1rp3BkZhN6r5aERItJuCRBlwXW+/LDd 9UMAUWep6JMZIbugySBoMxBlZn3p4utKoq0vhZhtKPY8hHeK8dkxDiw/Xl2CUFsAdZ u1CKcQxPprO3LXV2ihZoXsXKcfIM1lOzYywun+uQ=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: NeoMutt/20170428 (1.8.2)

Hi,

I tried moving a tor relay with offline master key to a new host but
something went wrong and it printed several warnings:

http status 400 ("Looks like your keypair does not match its older value.") response from dirserver

What did I screw up and how to fix this problem if it happends again?

I suspect it will happen again because I generate a new signing key more
frequently than necessary. I create '15 days' key every week and upload
it (over onion ssh connection). This scheme should be resistant to
occasional upload failures but it's not clear which of the last three
signing keys to use on restart. If passing the wrong key can bring down
the relay I need to switch to a different scheme.

I'm thinking about adding these commands to my crontab:

$ crontab -l
@weekly scp "${DESTDIR}/keys/ed25519_signing_cert" "${DESTDIR}/keys//ed25519_signing_secret_key" ${ONION:?}:
@monthly tor --hush --keygen --SigningKeyLifetime '1 month' "${DESTDIR:?}" && {{{scp command from the previous line}}}

Are there any potential problems with this approach (e.g. 28 days in Feb
vs 31 days in March)?

-- 
Alex
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] keypair does not match its older value
  - From: nusenu
- Re: [tor-relays] keypair does not match its older value
  - From: Roger Dingledine

Prev by Author: Re: [tor-relays] Exit node restarts itself.
Next by Author: Re: [tor-relays] keypair does not match its older value
Previous by thread: [tor-relays] I would lime to poste on this list
Next by thread: Re: [tor-relays] keypair does not match its older value
Index(es):
- Author
- Thread