Hi, about four weeks ago, I switched off one of my relays and two of my bridges running on Debian 11 ("Bullseye") systems after discovering the "not recommended" flags on the Tor metrics overview of those relays with the intension of reinstalling and reconfiguring the underlying VMs and relays the following days. (A few days later, I read on this list that those flags are not that critical, but unfortunately Tor doesn't seem to be updated for Debian 11 at the official torproject Debian repositories [1]). But as life goes, something always came up in the days that followed. However, a week ago, I finally wanted to reinstall one of the bridges. I'm using Offline Relay Identity Keys [2], so I created a new intermediate key pair consisting of ed25519_signing_cert and ed25519_signing_secret_key locally and copied them to /var/lib/tor/keys on my freshly installed VM, together with ed25519_master_id_public_key. Unfortunately, I didn't copy the old secret_id_key key file. I then realized that the fingerprint files under /var/lib/tor changed (despite that IP address, port number and identity key stayed the same) and that I wasn't able to connect to my bridge using Tor Browser. So, a week later (yesterday), I gave it a new try and did the complete reinstallation and configuration process again, but with the slight difference of also copying the files secret_onion_key, secret_onion_key_ntor and secret_id_key to /var/lib/tor/keys. This resulted in the fingerprint files being as they were on my old installation, but I read the following message at /var/log/tor/notices.log: [warn] http status 400 ("Looks like your keypair has changed? This authority previously recorded a different RSA identity for this Ed25519 identity (or vice versa.) Did you replace or copy some of your key files, but not the others? You should either restore the expected keypair, or delete your keys and restart Tor to start your relay with a new identity.") response from dirserver 66.111.2.131:9001. Please correct. So, I uninstalled tor, copied only the files ed25519_master_id_public_key, secret_id_key, ed25519_signing_cert and ed25519_signing_secret_key to /var/lib/tor/keys, which unfortunately also resulted in the above warning message. My question now: Do I still have a change to recover the "old identity" of my bridge, or did I "burn" the old identity now since the directory authorities apparently registered a new identity? Kind regards telekobold [1] https://deb.torproject.org/torproject.org/dists/bullseye/main/binary-amd64/P... [2] https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorRelaySecurity/Offli...
I would really appreciate if someone would reply to my email below if they now anything about this. telekobold On December 16, 2025 1:37:26 AM GMT+01:00, telekobold via tor-relays <tor-relays@lists.torproject.org> wrote:
Hi,
about four weeks ago, I switched off one of my relays and two of my bridges running on Debian 11 ("Bullseye") systems after discovering the "not recommended" flags on the Tor metrics overview of those relays with the intension of reinstalling and reconfiguring the underlying VMs and relays the following days. (A few days later, I read on this list that those flags are not that critical, but unfortunately Tor doesn't seem to be updated for Debian 11 at the official torproject Debian repositories [1]). But as life goes, something always came up in the days that followed. However, a week ago, I finally wanted to reinstall one of the bridges. I'm using Offline Relay Identity Keys [2], so I created a new intermediate key pair consisting of ed25519_signing_cert and ed25519_signing_secret_key locally and copied them to /var/lib/tor/keys on my freshly installed VM, together with ed25519_master_id_public_key. Unfortunately, I didn't copy the old secret_id_key key file. I then realized that the fingerprint files under /var/lib/tor changed (despite that IP address, port number and identity key stayed the same) and that I wasn't able to connect to my bridge using Tor Browser.
So, a week later (yesterday), I gave it a new try and did the complete reinstallation and configuration process again, but with the slight difference of also copying the files secret_onion_key, secret_onion_key_ntor and secret_id_key to /var/lib/tor/keys. This resulted in the fingerprint files being as they were on my old installation, but I read the following message at /var/log/tor/notices.log:
[warn] http status 400 ("Looks like your keypair has changed? This authority previously recorded a different RSA identity for this Ed25519 identity (or vice versa.) Did you replace or copy some of your key files, but not the others? You should either restore the expected keypair, or delete your keys and restart Tor to start your relay with a new identity.") response from dirserver 66.111.2.131:9001. Please correct.
So, I uninstalled tor, copied only the files ed25519_master_id_public_key, secret_id_key, ed25519_signing_cert and ed25519_signing_secret_key to /var/lib/tor/keys, which unfortunately also resulted in the above warning message.
My question now: Do I still have a change to recover the "old identity" of my bridge, or did I "burn" the old identity now since the directory authorities apparently registered a new identity?
Kind regards telekobold
[1] https://deb.torproject.org/torproject.org/dists/bullseye/main/binary-amd64/P... [2] https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorRelaySecurity/Offli... _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
participants (1)
-
telekobold