Opened 2 months ago

Last modified 11 days ago

#31669 needs_information defect

Invalid signature for service descriptor signing key: expired

Reported by: a_p Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.4.1.5
Severity: Normal Keywords: tor-hs, log
Cc: asn, dgoulet Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

when searching for this log entry: #26932

The following log entry has been seen on exit relays running in OfflineMasterKey mode. Online keys did not expire, relay did not shutdown when this log entry was observed. We did not observe any service degradation.

Invalid signature for service descriptor signing key: expired

Child Tickets

Change History (9)

comment:1 Changed 2 months ago by arma

This message sounds like there is an onion service involved, but the onion service is broken (its signing key is old, perhaps because its clock is super wrong).

Was this a warning-level log? Your quote doesn't say what log severity it was.

Were there any onion services involved in these exit relays? E.g. they hosted some or they were visiting some as a client?

The other possibility is that they were simply being normal HSDirs, and relays that receive encrypted onion descriptors still validate them enough to find this error. In that case we should consider turning the log into an info-level log, since there is nothing your relay can do about it.

comment:2 in reply to:  1 Changed 2 months ago by teor

Replying to arma:

This message sounds like there is an onion service involved, but the onion service is broken (its signing key is old, perhaps because its clock is super wrong).

Was this a warning-level log? Your quote doesn't say what log severity it was.

Yes, it's a warning-level log:
https://github.com/torproject/tor/blob/27e067df4fd3148b59dd0377d1a7b111460a2b53/src/feature/hs/hs_descriptor.c#L1293

Were there any onion services involved in these exit relays? E.g. they hosted some or they were visiting some as a client?

The other possibility is that they were simply being normal HSDirs, and relays that receive encrypted onion descriptors still validate them enough to find this error. In that case we should consider turning the log into an info-level log, since there is nothing your relay can do about it.

We should make it a protocol warning, so that we still see it in test networks.

It looks like there are a lot of warnings in the cert code, which should actually be protocol warnings. Maybe we need to pass an "is_remote" flag to our validation code, and switch to protocol warnings when it is true.

comment:3 Changed 2 months ago by teor

Cc: asn dgoulet added
Keywords: tor-hs log added
Milestone: Tor: unspecified

asn, dgoulet: how important is this ticket? Should we try to fix it as part of sponsor 27?

comment:4 Changed 2 months ago by asn

Hmm, that's peculiar. This could indeed be caused by a skewed clock on the service-side (altho that's weird since the HS requires a live consensus to publish descriptors), or it could be a deeper bug.

I don't think we should turn this into an info-level log, so that we can see if it becomes more frequent, but perhaps we should turn it into a protocol warnings since there is indeed nothing the relay operator can do about it.

With regards to debugging, I would probably wait a bit to see if this appears again.

comment:5 Changed 4 weeks ago by toralf

I hit this yesterday (for the first time) at a guard and middle relay 63BF46A63F9C2. Few exit ports are open, but either 80 nor 443) nor any onion service hosted on it.

The relay did not had the HSDir flag when it happened (today it got it after 4 days of uptime).

I do use OfflineMasterKey.

The key is valid for less than 10 days FWIW in this moment

/opt/torutils/key-expires.py /var/lib/tor/data/keys/ed25519_signing_cert
817532

using https://github.com/toralf/torutils/blob/master/key-expires.py

Last edited 4 weeks ago by toralf (previous) (diff)

comment:6 Changed 3 weeks ago by asn

Status: newneeds_information

Hmm, I have no idea how this relates to OfflineMasterKey. OfflineMasterKey is about the relay identity key, but the log message is about the onion service descriptor signing key. The two keys should be completely independent... :/ Still...

comment:7 in reply to:  1 Changed 2 weeks ago by a_p

Replying to arma:

Were there any onion services involved in these exit relays? E.g. they hosted some or they were visiting some as a client?

these are exit relays only.

they are not used as onion services, there is not client port (SOCKS) open.

comment:8 in reply to:  4 Changed 2 weeks ago by a_p

Replying to asn:

With regards to debugging, I would probably wait a bit to see if this appears again.

I'm seeing this on two exits (out of 16).

comment:9 Changed 11 days ago by dgoulet

I've been seeing it recently quite a bit on my relays.

There are a lot of warnings in the descriptor decoding code that anyone out there could trigger on HSDirs... It seems a bit "messy" to have a is_remote flag on all those functions... But I also don't have a better answer.

Note: See TracTickets for help on using tickets.