[tor-relays] Tor not reading medium-term signing key.

12xBTM 12xbtm at gmail.com
Mon Jan 4 22:13:52 UTC 2016


Now I'm getting permission denied, still out-dated key, and missing
master_id_secret_key errors, which are unsurprisingly fatal.

Jan 04 22:41:33.000 [warn] Could not open
"/var/lib/tor/keys/ed25519_signing_secret_key": Permission denied
Jan 04 22:41:33.000 [notice] It looks like I need to generate and sign a
new medium-term signing key, because I don't have one. To do that, I
need to load the permanent master identity key.
Jan 04 22:41:33.000 [warn] We needed to load a secret key from
/var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't find it.
Did you forget to copy it over when you copied the rest of the signing
key material?
Jan 04 22:41:33.000 [warn] Can't load master identity key;
OfflineMasterKey is set.
Jan 04 22:41:33.000 [err] Error initializing keys; exiting

Which is funny, because the [user] has permission over
signing_secret_key, and the ed25519_master_id_secret_key is totally in
/var/lib/tor/keys/.



At this point, I just disabled OfflineMasterKeys because there's just
not enough information available for me to go about this. If you know of
a way to completely regenerate signing keys, master keys, and whatever
other keys I need besides the one for my fingerprint, that'd be nice,
because I'm fairly certain things are completely screwed up now since
Tor can't find or access the the signing_secret_key or
master_id_secret_key. I'll be sure to implement that key regeneration in
a week or so when I can correct the keys on this node, until then, I'll
leave this exit node off until I'm sure it's using valid keys, because
there's no point in having a faulty exit node.

secret_id_key, secret_onion_key, and secret_onion_key_ntor weren't
touched (I think). So it's the others keys I need to fix.

I'll try this OfflineMasterKeys thing when more operational information
is released about it. Because, not only do I not know what I'm doing, I
don't even know what it does at this point. --keygen on the master key
and writing it automatically to a [user] directory made it property of
[user] instead of debian-tor. Also, what is
master_id_secret_key_encrypted used for if Tor says it can't use an
encrypted master_id_secret_key?

I'm absolutely a linux noob, and I know that's not helping.



On 4.1.16 16:09, s7r wrote:
> Hello,
> 
> Let's recap (hope I am not missing something):
> 
> a) you make sure master_id_secret_key is available in
> /home/[user]/.tor/keys
> b) you run # tor --keygen and provide the correct passphrase
> c) you *move* the newly generated ed25519_signing_secret_key and
> ed25519_signing_cert *FROM* /home/[user]/.tor/keys *TO*
> /var/lib/tor/keys or wherever your Tor datadirectory is (depending on
> your OS / distro) and reload or restart Tor. You don't need to shut
> down Tor while you use --keygen, you can only reload (HUP) or restart
> after you've moved the new key and cert.
> 
> and you still get the same notice that the medium term signing key is
> going to expire soon?
> 
> If yes, can you let me know other details about your setup? Do you use
> a SigningKeyLifetime parameter in your torrc?
> 
> Also, the directory doesn't need to be /home/[user]/.tor/keys if you
> are willing to pass it with --datadirectory argument (Tor will just
> need write permission in the target folder):
> 
> # tor --datadirectory /some/path --keygen (the master_id_secret_key
> needs to be inside a keys folder in /some/path, eg:
> /some/path/keys/ed25519_master_id_secret_key).
> 
> The new medium term signing key and cert will be saved in the same
> folder and you have to manually move them to your working Tor's
> instance datadirectory folder as explained above.
> 
> We are working on making this simpler by allowing to manually set the
> master id secret key path and ask for a different output folder for
> the created files.
> 
> 
> On 1/4/2016 9:53 PM, 12xBTM wrote:
>> So my medium-term signing key expires tomorrow, and Tor notices.log
>> is all up and down about:
> 
>> Jan 04 19:22:46.000 [notice] It looks like I should try to generate
>> and sign a new medium-term signing key, because the one I have is
>> going to expire soon. But OfflineMasterKey is set, so I won't try
>> to load a permanent master identity key is set. You will need to
>> use 'tor --keygen' make a new signing key and certificate.
> 
>> Now, that's great and all, so I tossed my master_id_public_key and
>> the master_id_secret_key_encrypted into the folder they were
>> originally generated in, which is:
>> /home/[user]/.tor/keys/ed25519.... Turned off Tor, ran "tor
>> --keygen" Gave my password. It generates a new signing_cert and
>> signing_secret_key in the same directory. And now, no matter what I
>> do, Tor keeps giving the same notice over and over again that the
>> keys are expiring.
> 
>> The documentation for this feature is slightly lacking. So, if
>> anyone knows what I'm doing wrong, that'd be very helpful.
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 


More information about the tor-relays mailing list