Now I'm getting permission denied, still out-dated key, and missing master_id_secret_key errors, which are unsurprisingly fatal.
Jan 04 22:41:33.000 [warn] Could not open "/var/lib/tor/keys/ed25519_signing_secret_key": Permission denied Jan 04 22:41:33.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because I don't have one. To do that, I need to load the permanent master identity key. Jan 04 22:41:33.000 [warn] We needed to load a secret key from /var/lib/tor/keys/ed25519_master_id_secret_key, but couldn't find it. Did you forget to copy it over when you copied the rest of the signing key material? Jan 04 22:41:33.000 [warn] Can't load master identity key; OfflineMasterKey is set. Jan 04 22:41:33.000 [err] Error initializing keys; exiting Which is funny, because the [user] has permission over signing_secret_key, and the ed25519_master_id_secret_key is totally in /var/lib/tor/keys/. At this point, I just disabled OfflineMasterKeys because there's just not enough information available for me to go about this. If you know of a way to completely regenerate signing keys, master keys, and whatever other keys I need besides the one for my fingerprint, that'd be nice, because I'm fairly certain things are completely screwed up now since Tor can't find or access the the signing_secret_key or master_id_secret_key. I'll be sure to implement that key regeneration in a week or so when I can correct the keys on this node, until then, I'll leave this exit node off until I'm sure it's using valid keys, because there's no point in having a faulty exit node. secret_id_key, secret_onion_key, and secret_onion_key_ntor weren't touched (I think). So it's the others keys I need to fix. I'll try this OfflineMasterKeys thing when more operational information is released about it. Because, not only do I not know what I'm doing, I don't even know what it does at this point. --keygen on the master key and writing it automatically to a [user] directory made it property of [user] instead of debian-tor. Also, what is master_id_secret_key_encrypted used for if Tor says it can't use an encrypted master_id_secret_key? I'm absolutely a linux noob, and I know that's not helping. On 4.1.16 16:09, s7r wrote: > Hello, > > Let's recap (hope I am not missing something): > > a) you make sure master_id_secret_key is available in > /home/[user]/.tor/keys > b) you run # tor --keygen and provide the correct passphrase > c) you *move* the newly generated ed25519_signing_secret_key and > ed25519_signing_cert *FROM* /home/[user]/.tor/keys *TO* > /var/lib/tor/keys or wherever your Tor datadirectory is (depending on > your OS / distro) and reload or restart Tor. You don't need to shut > down Tor while you use --keygen, you can only reload (HUP) or restart > after you've moved the new key and cert. > > and you still get the same notice that the medium term signing key is > going to expire soon? > > If yes, can you let me know other details about your setup? Do you use > a SigningKeyLifetime parameter in your torrc? > > Also, the directory doesn't need to be /home/[user]/.tor/keys if you > are willing to pass it with --datadirectory argument (Tor will just > need write permission in the target folder): > > # tor --datadirectory /some/path --keygen (the master_id_secret_key > needs to be inside a keys folder in /some/path, eg: > /some/path/keys/ed25519_master_id_secret_key). > > The new medium term signing key and cert will be saved in the same > folder and you have to manually move them to your working Tor's > instance datadirectory folder as explained above. > > We are working on making this simpler by allowing to manually set the > master id secret key path and ask for a different output folder for > the created files. > > > On 1/4/2016 9:53 PM, 12xBTM wrote: >> So my medium-term signing key expires tomorrow, and Tor notices.log >> is all up and down about: > >> Jan 04 19:22:46.000 [notice] It looks like I should try to generate >> and sign a new medium-term signing key, because the one I have is >> going to expire soon. But OfflineMasterKey is set, so I won't try >> to load a permanent master identity key is set. You will need to >> use 'tor --keygen' make a new signing key and certificate. > >> Now, that's great and all, so I tossed my master_id_public_key and >> the master_id_secret_key_encrypted into the folder they were >> originally generated in, which is: >> /home/[user]/.tor/keys/ed25519.... Turned off Tor, ran "tor >> --keygen" Gave my password. It generates a new signing_cert and >> signing_secret_key in the same directory. And now, no matter what I >> do, Tor keeps giving the same notice over and over again that the >> keys are expiring. > >> The documentation for this feature is slightly lacking. So, if >> anyone knows what I'm doing wrong, that'd be very helpful. > > _______________________________________________ > tor-relays mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
