How can I fix the http status 400 ("Looks like your keypair has changed? This authority previously recorded a different RSA identity for this Ed25519 identity error?
Would replacing the entire /var/lib/tor/keys/ directory avoid the different RSA identity error (#2 above)?
For context, I currently have 3 relays but plan on keeping only relays #1 and #3 after January 11th.
04B1E9882FF9CC529959F081AD5E4F1958A89890
E393170D379A114C68BF6E1869538C6D7A760F17
9155C316F7BBC21E2F9D469A5D0DB1211CC7AB07
Here are the three steps I took in a failed attempt to swap relays 2 and 3: 1.
At first, as per the relay moving guide, I tried to migrate the keys/ed25519_master_id_secret_key and keys/secret_id_key files to a new VPS (still hadn’t removed them from the old VPS nor stopped Tor on it) and I got the following error message:
http status 400 ("Looks like your keypair has changed? This authority previously recorded a different RSA identity for this Ed25519 identity (or vice ve...
2.
So I then returned the newer VPS’ two original ID keys for the time being but now when I run journalctl -r -u tor@default I get a secret_id_key permission error and I don’t know how to fix it:
Jan 27 02:26:37 debian-12 systemd[1]: Failed to start tor@default.service - Anonymizing overlay network for TCP.
Jan 27 02:26:37 debian-12 systemd[1]: tor@default.service: Failed with result 'exit-code'.
Jan 27 02:26:37 debian-12 systemd[1]: tor@default.service: Start request repeated too quickly.
Jan 27 02:26:37 debian-12 systemd[1]: Stopped tor@default.service - Anonymizing overlay network for TCP.
Jan 27 02:26:37 debian-12 systemd[1]: tor@default.service: Scheduled restart job, restart counter is at 5.
Jan 27 02:26:37 debian-12 systemd[1]: Failed to start tor@default.service - Anonymizing overlay network for TCP.
Jan 27 02:26:37 debian-12 systemd[1]: tor@default.service: Failed with result 'exit-code'.
Jan 27 02:26:37 debian-12 systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
Jan 27 02:26:37 debian-12 Tor[3652]: Error initializing keys; exiting
Jan 27 02:26:37 debian-12 Tor[3652]: Error loading private key.
Jan 27 02:26:37 debian-12 Tor[3652]: Unable to read file for private key in "/var/lib/tor/keys/secret_id_key"
Jan 27 02:26:37 debian-12 Tor[3652]: Could not open "/var/lib/tor/keys/secret_id_key": Permission denied
Jan 27 02:26:37 debian-12 Tor[3652]: Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Jan 27 02:26:37 debian-12 Tor[3652]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jan 27 02:26:37 debian-12 Tor[3652]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jan 27 02:26:37 debian-12 Tor[3652]: Opened OR listener connection (ready) on 0.0.0.0:443
Jan 27 02:26:37 debian-12 Tor[3652]: Opening OR listener on 0.0.0.0:443
Jan 27 02:26:37 debian-12 Tor[3652]: Based on detected system memory, MaxMemInQueues is set to 720 MB. You can override this by setting MaxMemInQueues by hand.
Jan 27 02:26:37 debian-12 Tor[3652]: Read configuration file "/etc/tor/torrc".
Jan 27 02:26:37 debian-12 Tor[3652]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jan 27 02:26:37 debian-12 Tor[3652]: Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Jan 27 02:26:37 debian-12 Tor[3652]: Tor 0.4.8.13 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.15, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Jan 27 02:26:37 debian-12 Tor[3652]: We compiled with OpenSSL 300000e0: OpenSSL 3.0.14 4 Jun 2024 and we are running with OpenSSL 300000f0: 3.0.15. These two versions should be binary compa>
3.
For now I removed the keys/ed25519_master_id_secret_key and keys/secret_id_key files and restarted Tor to try and generate a new identity keys on the new VPS and continue building consensus weight and the relay is seemingly running but giving the “different RSA identity for this Ed25519 identity” message:
Jan 27 02:59:27 debian-12 Tor[4295]: Self-testing indicates your ORPort 185.141.216.40:443 is reachable from the outside. Excellent. Publishing server descriptor.
Jan 27 02:59:28 debian-12 Tor[4295]: http status 400 ("Looks like your keypair has changed? This authority previously recorded a different RSA identity for this Ed25519 identity (or vice ve>
Depending on how you copied the keys they probably have the wrong owner. You can check this with ls -la /var/lib/tor/keys/. On debian the result should look like this:
-rw------- 1 debian-tor debian-tor 64 Jan 18 21:41 ed25519_master_id_public_key
-rw------- 1 debian-tor debian-tor 172 Jan 26 22:24 ed25519_signing_cert
-rw------- 1 debian-tor debian-tor 96 Jan 26 22:24 ed25519_signing_secret_key
-rw------- 1 debian-tor debian-tor 888 Jan 18 21:39 secret_id_key
-rw------- 1 debian-tor debian-tor 888 Jan 18 21:41 secret_onion_key
-rw------- 1 debian-tor debian-tor 96 Jan 18 21:41 secret_onion_key_ntor
I would stop the tor daemon before changing the master keys.
ed25519_master_id_public_key, ed25519_signing_cert and ed25519_signing_secret_key are generated after tor starts. secret_onion_key and secret_onion_key_ntor are generated after tor starts too. They will be modifyed from time to time.
Additional: Offline Master Key
The listing above is missing ed25519_master_id_secret_key because
OfflineMasterKey 1
is used in my torrc. It’s for keeping the identity private.
Seems not to be an error rather an information. It will show up several times during debugging or playing around with that kind of issues.
Is it running? The listing does not show ed25519_master_id_secret_key. The secret_id_key is newer than the others.
If not running or stopping soon all keys in the listing could be deleted and the 2 important ones can be implemented again and restarted.
Hi, I have reinstalled the OS and the Tor setup. I copied over both the ed25519_master_id_secret_key and secret_id_key files via scp before running Tor for the first time but the permission issue persists.
I’m not very familiar with file permissions. Could you or someone please provide the commands I need to run to resolve the following error code? I’m running Debian 12. Thank you!
Feb 14 01:27:16 debian-12 Tor[28428]: Error initializing keys; exiting
Feb 14 01:27:16 debian-12 Tor[28428]: Error loading private key.
Feb 14 01:27:16 debian-12 Tor[28428]: Unable to read file for private key in "/var/lib/tor/keys/secret_id_key"
Feb 14 01:27:16 debian-12 Tor[28428]: Could not open "/var/lib/tor/keys/secret_id_key": Permission denied
Hey
On debian you should stop the tor service, enter the keys directory as root or sudo and modify the permissions.
chmod 600 tor *
The file permissions should change from rwx to rw- . The keys directory and file ownership seems ok (both debian-tor). Then restart the tor service and fingers crossed it runs.
Permissions are relativley simple. Chmod 777 to let everyone read, write and execute them. This should be avoided as it isnt secure at all, but it could serve as a temporary fix whilst we troubleshoot. For a longer term fix, you could use chown, which would assign file ownership to tor.