[tor-relays] Configuring key expiration warning messages?

telekobold · May 19, 2023, 11:55am

Hi everyone,

I'm using OfflineMasterKey 1 for my Tor bridge, hosting and renewing the
long-term identity key on a Tails USB stick.

I observed that Tor starts printing warning messages to
/var/log/tor/notices.log 24 hours before the intermediate key expires.
My question is if there is a flag that could be set in the torrc file to
start printing these warning message more than 24 hours before the
expiration time, possibly even with outputting the exact expiration
time? If there isn't such an option, does anyone happen to have a script
ready for this (before I start trying to implement something like this
myself)?

Kind regards
telekobold

···

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

trinity-1686a · May 22, 2023, 7:55am

Hi,

It [looks like `TestingSigningKeySlop`][1] might be what you are
looking for. I'm not entirely sure why it's categorized as a Testing
option, as it seems to do something useful outside of testing, so
maybe don't use it just yet?
There doesn't seem to be a way to print the expiration time from that
warning you get. You can get that time by running `tor -f
/path/to/torrc --key-expiration sign --format iso8601 --quiet` (or
`--format timestamp` if you are into unix timestamps).
In an [hopefully close future][2], it will also be possible to setup
alerting if you have monitoring through Grafana or similar (or by
querying the MetricsPort with a script).

[1]: src/feature/relay/routerkeys.c · 34da50718a4395936736c32e8cc24876d2f7e10c · The Tor Project / Core / Tor · GitLab
[2]: add new metrics entry for cert expiration (!698) · Merge requests · The Tor Project / Core / Tor · GitLab

Regards,

trinity-1686a

···

On Mon, 22 May 2023 at 09:04, telekobold <torproject-ml@telekobold.de> wrote:

Hi everyone,

I'm using OfflineMasterKey 1 for my Tor bridge, hosting and renewing the
long-term identity key on a Tails USB stick.

I observed that Tor starts printing warning messages to
/var/log/tor/notices.log 24 hours before the intermediate key expires.
My question is if there is a flag that could be set in the torrc file to
start printing these warning message more than 24 hours before the
expiration time, possibly even with outputting the exact expiration
time? If there isn't such an option, does anyone happen to have a script
ready for this (before I start trying to implement something like this
myself)?

Kind regards
telekobold
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

lists · May 22, 2023, 7:23pm

Yes in toralf's /torutils:

github.com

toralf/torutils/blob/main/key-expires.py

#!/usr/bin/env python
# SPDX-License-Identifier: GPL-3.0-or-later
# -*- coding: utf-8 -*-

# put out the time (in seconds) before the medium-term signing Tor certs expires

# example call (as root):
# n=$(($(key-expires.py /var/lib/tor/data/keys/ed25519_signing_cert) / 86400)); [[ $n -lt 35 ]] && echo "Tor cert expires in less than $n day(s)"

import codecs
import sys
import time

with open(sys.argv[1], "rb") as f:
    cert = f.read()
    expire = int(codecs.encode(cert[35:38], "hex"), 16)  # expiration timestamp in hours
    now = int(time.time())  # current timestamp in seconds
    print(3600 * expire - now)

···

On Freitag, 19. Mai 2023 13:55:10 CEST telekobold wrote:

If there isn't such an option, does anyone happen to have a script
ready for this (before I start trying to implement something like this
myself)?

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!