Cntools says -> Keys expired! But they aren't

When I start cntools on my cold node, it says, that my keys are expired. But the expire date is far in the future. When I copy the keys from my cold node to my hot node everything is fine. cntools on the hot node doesn’t have any issue and gLieveView shows me every thing correct.

Even when I rotate the keys on the cold node with cntools (step1), right after, it shows the warning that the keys are expired (step2).



After rotaing, kes.start, hot.vkey, hot.skey, op.cert and cold.counter have an actual timestamp.

kes.start seems to be actual.

cat kes.start


I can’t do anything with the content of cold.counter. Can someone explain to me what’s up with that? Maybe the problem is here?!?

# cat cold.counter
    "type": "NodeOperationalCertificateIssueCounter",
    "description": "Next certificate issue number: 19",
    "cborHex": "82135.......a6a0"


Because the node not started as a Producer (yet)
Wait till the node will be shown as a Producer on glive then start cntools again


PS: if u are running cntoola on your cold node (in offline mode) then it’s normal to see this error

Try to start the cntools on your live node after u updated the files (also u should see the new KES expiration inside glive)

Yes, that’s the case. When I start cntools on my hot node with updated keys, everything is fine.

Thank you for your quick response.

1 Like