[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] keypair does not match its older value

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] keypair does not match its older value
From: Roger Dingledine <arma@xxxxxxx>
Date: Tue, 20 Jun 2017 18:06:53 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 20 Jun 2017 18:07:07 -0400
In-reply-to: <20170620220431.wj5sjpt7qls7lvpe@neva>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <20170620220431.wj5sjpt7qls7lvpe@neva>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.8.2 (2017-04-18)

On Tue, Jun 20, 2017 at 11:04:31PM +0100, Alexander Nasonov wrote:
> I tried moving a tor relay with offline master key to a new host but
> something went wrong and it printed several warnings:
> 
> http status 400 ("Looks like your keypair does not match its older value.") response from dirserver

This complaint happens when in the past you ran the relay with a given
RSA identity key and ED identity key, and now one of them has changed.

> What did I screw up and how to fix this problem if it happends again?

Either move back to both of the original identity keys, or discard both
identity keys and start fresh.

> I suspect it will happen again because I generate a new signing key more
> frequently than necessary. I create '15 days' key every week and upload
> it (over onion ssh connection). This scheme should be resistant to
> occasional upload failures but it's not clear which of the last three
> signing keys to use on restart. If passing the wrong key can bring down
> the relay I need to switch to a different scheme.

In theory (i.e. assuming no surprising bugs), updating your signing key
should not be relevant here.

(Thanks for running a relay!)

--Roger

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] keypair does not match its older value
  - From: Alexander Nasonov

References:
- [tor-relays] keypair does not match its older value
  - From: Alexander Nasonov

Prev by Author: Re: [tor-relays] published descriptor missing from consensus
Next by Author: Re: [tor-relays] [SOLVED] published descriptor missing from consensus
Previous by thread: [tor-relays] keypair does not match its older value
Next by thread: Re: [tor-relays] keypair does not match its older value
Index(es):
- Author
- Thread