Opened 10 days ago

Last modified 9 days ago

#30482 new defect

unexpected warning: Invalid signature for service descriptor signing key: expired

Reported by: toralf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I do wonder about

# tail -n 2 /tmp/notice2.log
May 12 10:42:13.000 [notice] DoS mitigation since startup: 10 circuits killed with too many cells. 13604 circuits rejected, 12 marked addresses. 106 connections closed. 1917 single hop clients refused.
May 12 14:30:03.000 [warn] Invalid signature for service descriptor signing key: expired

b/c it looks ok:

# tor --key-expiration sign -f /etc/tor/torrc2 
May 12 16:27:26.845 [notice] Tor running on Linux with Libevent 2.1.8-stable, OpenSSL LibreSSL 2.8.3, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd N/A.
May 12 16:27:26.845 [notice] Tor can't help you if you use it wrong! Learn how to be safe at
May 12 16:27:26.845 [notice] Read configuration file "/etc/tor/torrc2".
May 12 16:27:26.849 [notice] Included configuration file or directory at recursion level 1: "/etc/tor/torrc.d/00_common".
May 12 16:27:26.849 [notice] Based on detected system memory, MaxMemInQueues is set to 8192 MB. You can override this by setting MaxMemInQueues by hand.
May 12 16:27:26.858 [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.
May 12 16:27:26.973 [notice] Your Tor server's identity key fingerprint is 'zwiebeltoralf2 509EAB4C5D10C9A9A24B4EA0CE402C047A2D64E6'
May 12 16:27:26.973 [notice] The signing certificate stored in /var/lib/tor/data2/keys/ed25519_signing_cert is valid until 2019-08-10 04:00:00.
signing-cert-expiry: 2019-08-10 04:00:00

Child Tickets

Change History (3)

comment:1 Changed 9 days ago by arma

This "Invalid signature for service descriptor signing key: expired" phrase comes from your relay because somebody tried to upload an onion service descriptor to you (presumably in your role as an HSDir), and you thought it was malformed:

My guess is that we should get dgoulet and asn to look at this to make sure they aren't surprised by anything, or think of new bugs to fix, and then somebody should go through and turn all the log_warn's into log_protocol_warn's if they happen on the relay side: there's nothing the relay operator can do if somebody screws up their onion service publish.

E.g., cert_parse_and_validate() might want a log_severity argument, so

    log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);

can decide how loudly it's supposed to yell.

comment:2 Changed 9 days ago by toralf


(presumably in your role as an HSDir)

Well, this relay does not have the HSDir flag, but it has: Fast Guard Running Stable V2Dir Valid

comment:3 Changed 9 days ago by ahf

Milestone: Tor: unspecified
Note: See TracTickets for help on using tickets.