Now I'm getting permission denied, still out-dated key, and missing master_id_secret_key errors, which are unsurprisingly fatal.
Jan 04 22:41:33.000 [warn] Could not open "/var/lib/tor/keys/ed25519_signing_secret_key": Permission denied Jan 04 22:41:33.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because I don't have one. To do that, I need to load the permanent master identity key. Jan 04 22:41:33.000 [warn] We needed to load a secret key from /var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't find it. Did you forget to copy it over when you copied the rest of the signing key material? Jan 04 22:41:33.000 [warn] Can't load master identity key; OfflineMasterKey is set. Jan 04 22:41:33.000 [err] Error initializing keys; exiting
Which is funny, because the [user] has permission over signing_secret_key, and the ed25519_master_id_secret_key is totally in /var/lib/tor/keys/.
At this point, I just disabled OfflineMasterKeys because there's just not enough information available for me to go about this. If you know of a way to completely regenerate signing keys, master keys, and whatever other keys I need besides the one for my fingerprint, that'd be nice, because I'm fairly certain things are completely screwed up now since Tor can't find or access the the signing_secret_key or master_id_secret_key. I'll be sure to implement that key regeneration in a week or so when I can correct the keys on this node, until then, I'll leave this exit node off until I'm sure it's using valid keys, because there's no point in having a faulty exit node.
secret_id_key, secret_onion_key, and secret_onion_key_ntor weren't touched (I think). So it's the others keys I need to fix.
I'll try this OfflineMasterKeys thing when more operational information is released about it. Because, not only do I not know what I'm doing, I don't even know what it does at this point. --keygen on the master key and writing it automatically to a [user] directory made it property of [user] instead of debian-tor. Also, what is master_id_secret_key_encrypted used for if Tor says it can't use an encrypted master_id_secret_key?
I'm absolutely a linux noob, and I know that's not helping.
On 4.1.16 16:09, s7r wrote:
Hello,
Let's recap (hope I am not missing something):
a) you make sure master_id_secret_key is available in /home/[user]/.tor/keys b) you run # tor --keygen and provide the correct passphrase c) you *move* the newly generated ed25519_signing_secret_key and ed25519_signing_cert *FROM* /home/[user]/.tor/keys *TO* /var/lib/tor/keys or wherever your Tor datadirectory is (depending on your OS / distro) and reload or restart Tor. You don't need to shut down Tor while you use --keygen, you can only reload (HUP) or restart after you've moved the new key and cert.
and you still get the same notice that the medium term signing key is going to expire soon?
If yes, can you let me know other details about your setup? Do you use a SigningKeyLifetime parameter in your torrc?
Also, the directory doesn't need to be /home/[user]/.tor/keys if you are willing to pass it with --datadirectory argument (Tor will just need write permission in the target folder):
# tor --datadirectory /some/path --keygen (the master_id_secret_key needs to be inside a keys folder in /some/path, eg: /some/path/keys/ed25519_master_id_secret_key).
The new medium term signing key and cert will be saved in the same folder and you have to manually move them to your working Tor's instance datadirectory folder as explained above.
We are working on making this simpler by allowing to manually set the master id secret key path and ask for a different output folder for the created files.
On 1/4/2016 9:53 PM, 12xBTM wrote:
So my medium-term signing key expires tomorrow, and Tor notices.log is all up and down about:
Jan 04 19:22:46.000 [notice] It looks like I should try to generate and sign a new medium-term signing key, because the one I have is going to expire soon. But OfflineMasterKey is set, so I won't try to load a permanent master identity key is set. You will need to use 'tor --keygen' make a new signing key and certificate.
Now, that's great and all, so I tossed my master_id_public_key and the master_id_secret_key_encrypted into the folder they were originally generated in, which is: /home/[user]/.tor/keys/ed25519.... Turned off Tor, ran "tor --keygen" Gave my password. It generates a new signing_cert and signing_secret_key in the same directory. And now, no matter what I do, Tor keeps giving the same notice over and over again that the keys are expiring.
The documentation for this feature is slightly lacking. So, if anyone knows what I'm doing wrong, that'd be very helpful.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays