Issues with offline master key functionality
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi everyone, Two months ago I decided to try the new ed25519 key introduced in Tor 2.7 with OfflineMasterKey set so I can keep the master key in a different place and just upload the medium-term signing key every month. Last month everything went ok: I renewed the key and Tor accepted it. This time instead after generating the new signing key with # tor --datadirectory path_to_my_master_key --signingkeylifetime '1 months' --keygen and uploading ed25519_signing_cert and ed25519_signing_secret_key and fixing the permission, Tor keep saying Feb 03 07:27:40.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because the one I have is expired. To do that, I need to load the permanent master identity key. Feb 03 07:27:40.000 [warn] We needed to load a secret key from /var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't find it. Did you forget to copy it over when you copied the rest of the signing key material? Feb 03 07:27:40.000 [warn] Can't load master identity key; OfflineMasterKey is set. Feb 03 07:27:40.000 [err] Error initializing keys; exiting That raises two questions to me: - why does Tor think the new keys are already expired? - why is Tor searching ed25519_master_id_secret_key? With OfflineMasterKey set it shouldn't care about the master secret key Thank you, patacca -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWsgVWAAoJEE1LNuolWAxg12QP/iy/rd0cPPt8WhzXXCmlRwRi vNFZ2PO6ltpS9uu0HRgUExpDGG1QY8eLUZxRUPCg1lFPbu/tsfHo+Rz3RB6iAg0Q rkqkSen4vjAboA2PTfyu6oLQEqX4zHyJ4RaFZcdemgYdm4/B1pbZVMYOgI1EiJQj bX/WSyjPlAF5gXhWW+F1UH/ucCLcue8LumWdd2qGSILVInzEcXfM2myTi4NRZJry pearKYlMMSt70+qM7ivBKelYp3iMpZjUZOQa4rDmNEvWncWmHDi+QxggsKBGJ/Kf ZqwVuatCQT56B10GNGZrc5bUx1cbBjdXj4wMLh3D/8wxMIJztPB9rEI2+C2GzP3d asG054o2GHQ5HISQqFuFTZ4dzyjudV/g3HbA78kXcLXrTuSVSV0vZ8cEqACiaYSI dFfIjNTevr9WgWbXPfKFzILAGlBS6gUWJflh8eQY539Jg0LnJI4XpSbSFlvAU8dQ fzZSLnUGdPC0w8dcPpSeS+ojxiQ1cv7qQoeubpyXvO16ATlxDZ6SW9WwFDKEN72N xUOwIBGBpj6Onq8UuieMRTqolcd5jc96/4Y1rVCUeegRts+0RloW+ftODf5MjcyR 5uvbvyrm9J9AsAzFkK+ZI7Xi+Fad4lR1rsdM7t9jWndHFb83DEKDOJPyq+aFgk+r 00IxrkcEOwzQUf68QLcP =xN1c -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello - see inline On 2/3/2016 3:49 PM, Riccardo Mori wrote:
Hi everyone,
Two months ago I decided to try the new ed25519 key introduced in Tor 2.7 with OfflineMasterKey set so I can keep the master key in a different place and just upload the medium-term signing key every month. Last month everything went ok: I renewed the key and Tor accepted it. This time instead after generating the new signing key with
# tor --datadirectory path_to_my_master_key --signingkeylifetime '1 months' --keygen
Why do you use such a value for SigningKeyLifetime when the default is 30 days already? You can just skip --signingkeylifetime and have medium term signing key valid for 30 days (1 month). I am not totally sure *1 months* is a valid argument here (could be, not sure) - why not the default 30 days or more than 1 month? Your problem is kind of strange so need to make sure of some things, apologies in advance if the questions seam too obvious. Before answering to all these make sure you try without --signignkeylifetime or with other argument than *1 months* like 2 months, 6 months, 10 days, 30 days, etc. - - path_to_my_master_key is the path to the folder containing a 'keys' subfolder which contains the ed25519_master_id_secret_key or (_encrypted)? - - the user running the 'tor --keygen' command has read/write permissions to the targeted folder from --datadirectory? - - is the date on the server where the 'tor --keygen' command runs correct? - - fixing the permissions you mean changing the owner of the files to the user actually running the Tor daemon on your system? (debian-tor, _tor, etc.)
and uploading ed25519_signing_cert and ed25519_signing_secret_key and fixing the permission, Tor keep saying
Feb 03 07:27:40.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because the one I have is expired. To do that, I need to load the permanent master identity key. Feb 03 07:27:40.000 [warn] We needed to load a secret key from /var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't find it. Did you forget to copy it over when you copied the rest of the signing key material? Feb 03 07:27:40.000 [warn] Can't load master identity key; OfflineMasterKey is set. Feb 03 07:27:40.000 [err] Error initializing keys; exiting
That raises two questions to me: - why does Tor think the new keys are already expired? - why is Tor searching ed25519_master_id_secret_key? With OfflineMasterKey set it shouldn't care about the master secret key
It doesn't -- the only problem is that it warns when it shouldn't. Only a log message issue which is known and reported here: https://trac.torproject.org/projects/tor/ticket/18133
Thank you, patacca
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJWsjCiAAoJEIN/pSyBJlsRPXEH+gODzo++tMKUFs6e++4L3Cg5 MPdAXG76/wIhNllrRvV9mD3OoMMRo3uG+2rgKYfoff26enRT2JKcUXDcVM1Pu8cF nIfDFHMNJGkghHhVO72VOEaW9rGPof7lyqB3SBVQLpWmaYlEpM7FGx0g9by974zX E8JpfMW9jEnmAQY42bYfaEhoa1uC3lYbIAWIgQFN1FRKm2xMnz0g4EbzunN39xAa UdHU+s9cIwjmtL4prjxFu+kVmTlWJrZo8HL1DfYdMqAZAu5vcYhvBTvNrjMY4jHT 3mLJoZO8FFXCfpswcQz1Kr9VICUacNH4nKXxXoupqObVNwp1merWLVQ1Q+nF+HI= =BZ0V -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thank you s7r for helping! On 03/02/2016 17:53, s7r wrote:
Hello - see inline
On 2/3/2016 3:49 PM, Riccardo Mori wrote:
Hi everyone,
Two months ago I decided to try the new ed25519 key introduced in Tor 2.7 with OfflineMasterKey set so I can keep the master key in a different place and just upload the medium-term signing key every month. Last month everything went ok: I renewed the key and Tor accepted it. This time instead after generating the new signing key with
# tor --datadirectory path_to_my_master_key --signingkeylifetime '1 months' --keygen
Why do you use such a value for SigningKeyLifetime when the default is 30 days already? You can just skip --signingkeylifetime and have medium term signing key valid for 30 days (1 month). I am not totally sure *1 months* is a valid argument here (could be, not sure) - why not the default 30 days or more than 1 month?
I wasn't sure about the default value and in case that after an update the default value were changed mine would still be 1 month. Anyway there's no important reason. In the two text files attached there's the history of the commands I typed (made with script), so if you want you can find more details there . I am going to reply to your question here anyway
- path_to_my_master_key is the path to the folder containing a 'keys' subfolder which contains the ed25519_master_id_secret_key or (_encrypted)?
- the user running the 'tor --keygen' command has read/write permissions to the targeted folder from --datadirectory?
yes to both of them, the folder contains ed25519_master_id_secret_key_encrypted and ed25519_master_id_public_key
- is the date on the server where the 'tor --keygen' command runs correct?
Yeah, the date is synchronized with ntp in both systems (the Tor node and my laptop that contains the master key), the only thing that could be an issue is that the two systems are on different time zones: one is UTC+1 and the other is CST (UTC-6)
- fixing the permissions you mean changing the owner of the files to the user actually running the Tor daemon on your system? (debian-tor, _tor, etc.)
yes, it's debian-tor, Tor node is running on debian 8.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWskQYAAoJEE1LNuolWAxgQr0QAISu2/uDFJaRQOCpT3IAeR1i KOLCZn0+V/0AOWQHnDH58/KT3m4cqE8ELhJLD3zuWJUqZI6ABr8r8wP30bJVW8JO hjhaECK88ziwmk+7JR9MNugnbfTDHCyl+PYkSJZTfal04sdY59JaOWTgyHHp1c/P UxXbvbGawxDPvlR+WvphsVgXcy3C4Ws3P5Xxkdk5P9jwAYn5rTCVWT4/2KpokHGr wUxsxDPM/Z13oOaKIPkFp+/4zzWf0GhiCVT6x3OrG27z1+9aweMhlt/tgRMC5dQC d8NE/tTLqnPVOtS/9PICKmpUwI0IswQSGmEaNOPho8yraZltFEpAcZyhV4MkzrdX rnfX+DV7aYL8rICDuggh9GbSvqgFiD3Y0y8ZN12K1Po+mkb55DTiLd1sUh3yAGUk HWbV+LipVIjlkn7wLKL9Ehi5+v2v3e0YnGHNdX4skCrdVV2i9lv+ts2j6mmUg2DE xD0wmolVZCXxJ6il9IdFGC63Dghp1kofeDvFbULsnk410IyDdz1f8BngVmfJjksb EwoSjktOQW0U2lEgZpADS9//Y8nCnivju6MjWkwg0WKRW3BHnu11byIhGxWjFOAx AxPPSm07uMyn+ShEJjFCY/ccRp8n+s0Ki6m1cOoZQou+R/qa4b0yof5XMqk9NBLq 33zWVJlySKIsWU1Ia6nd =n4Z0 -----END PGP SIGNATURE-----
Why do you use such a value for SigningKeyLifetime when the default is 30 days already? You can just skip --signingkeylifetime and have medium term signing key valid for 30 days (1 month). I am not totally sure *1 months* is a valid argument here (could be, not sure)
--signingkeylifetime '1 months' is fine (tested), it is not the same as 30 days (by a few hours) but otherwise it is ok.
Two months ago I decided to try the new ed25519 key introduced in Tor 2.7 with OfflineMasterKey
great to see more people using/testing this feature.
That raises two questions to me: - why does Tor think the new keys are already expired?
Did you manually verify the expire dates of the newly generated cert/key files? See also: https://trac.torproject.org/projects/tor/ticket/18228 https://trac.torproject.org/projects/tor/ticket/18133#comment:3 Sharing your torrc config might help others reproduce your problem. btw: consider doing less steps as root, it is not needed to generate keys or scp stuff as root
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/02/2016 00:00, nusenu wrote:
Two months ago I decided to try the new ed25519 key introduced in Tor 2.7 with OfflineMasterKey
great to see more people using/testing this feature.
That raises two questions to me: - why does Tor think the new keys are already expired?
Did you manually verify the expire dates of the newly generated cert/key files?
See also: https://trac.torproject.org/projects/tor/ticket/18228
https://trac.torproject.org/projects/tor/ticket/18133#comment:3
Thanks, that helped a lot, I didn't know how to show the expire date of the certificate. It turned out it was an idiot mistake: I was copying the wrong certificate, the one expired instead of the newly generated one! It would have been much easier to debug knowing this from the start =) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWtPG8AAoJEE1LNuolWAxgc1gP/2ohsu7i/EY3M5591SpcPDaw e5MuBspkkXDsmr4fGDoOdP2rezAucjftf6BWTlFHlFRMN8eKpMQCgtEufnEsMJjn kks6VfaYZ1fcn5L3jgD4/QDSTbzIthOmRfteYKharwKUQUV3ADfi0pwMjVetyUto N4UOcU3MU3qfNtrHITRaTUMiacIdT9ChLZLu3ID+IzPZXwZUbIVsaL0EjVW29u8O VYANq0I11uKOVAFTFdvU/TZ0hALe5hVx97WLJY0J/Rg6CV0QPvjAfQs4lJ2Ryf+7 yYOSNAmxYEdeU7Cs6IIHGOZJygPumVvU9YIkNZa0lNzBC9GIATdFFiNlumWyi4d0 1XZtIhKxTV0YIDvrDtSkspdm6k1O69Pn+M/gFaLuzqQjuFD8ouvNPd7CWw4RucKq 9Klp0qLYv0U7kh+UabbjqszDD+1X5duP/VMKpP+sVE7tb7IFgLR2IyfPzxQ6BDqB BKtnaaYPaO0kNne0wjZFyTIEGPLm9XfsAc8QFbACZaiVtWlNNKjrUNJb+t3ib7HS LSXCjdDqFehbKQjiuW7XhjYu7zmBe259W5g5FWsm1kaWX871Zp1cXjqlE8uauwnn VVCFeSeQZmCqwst41H293y+udyfBg3cb3SNzweby6lhnUieqzFQfDgD2nnyYXZVE eN9ShcpX70c7f/eQ5xFw =rvyS -----END PGP SIGNATURE-----
participants (3)
-
nusenu -
Riccardo Mori -
s7r