Hi all,
It’s not the first time I am rotating my keys, but this time for an unknown reason I can’t rotate them.
There is probably something I am doing wrong but I don’t see what.
I used the latest rotateKES.sh and followed each step on my producer node and on my air-gap machine. Everything seems to be correct, kes period, counter values. Nothing showing me that something went wrong renewing the node.cert.
But from journalctl, I still can see after restarting my block producer : Operational key will expire in 7 KES periods
Any idea what else should I check ?
Thx
hmm… do you wanna give the Stakepool Operator Scripts a try?
You can find them here:
You only need the 00_common.sh and set your enviroment in the first few lines.
And than the script 04c and 04d to rotate the kes keys and generate a new opcert.
All thats needed is to have the pool keys in the right naming format like:
xxx.node.skey
xxx.node.vkey
xxx.vrf.skey
xxx.vrf.vkey
And than you can run script 04c and 04d.
With your current setup, the keys for the blockproducer must be in chmod 400 xxx access. So only the owner can read them. Maybe you have not really overwritten the old files with the new ones because of this? Try to set it to chmod 600 xxx first and retry it to update them.
I have been redoing the operation setting keys and cert 600 to be sure they are overwritten. Unfortunately, the result is the same restating the node producer.
Yes I know for the +wrx access on Linux, but I didn’t have that problem before.
You wrote the keys must have the format:
xxx.node.skey … what means in your naming convention the xxx prefix ?
I checked the 00_common.sh, and I really use only the very first lines of the environment. Is it a problem?
Yes you just need to set a few things in the 00_common.sh file, the cardano-cli/node and the genesisfiles are important in your case.
With xxx.node.skey, the xxx must be a name of your choice like mypool.node.skey
You than call the script 04c like ./04c_genKESKeys.sh mypool cli to generate new kes keys for the pool mypool as normal cli-keys (not encrypted).
And the same goes for 04d like ./04d_genNodeOpCert.sh mypool to generate the new opcert. If the machine has online access or a running node, the script will check the latest opcert counter on chain and increment it by one for the new opcert. If this is on an offline machine, please check your current opcert counter number first using for example cexplorer.io and look at your produced blocks, there you find the opcert number. Than you can force the script to use this given opcertcounter number as the next one like: ./04d_genNodeOpCert.sh mypool <number>. The time/clock of the machine must be correct to do so.
You can find all kinds of examples and how-to in the readme here too:
Please give it a try.
Looking forward to your outcome… best regards, Martin.
I had the same issue a few months ago, and I realized I missed something to do at that time. But this time I don’t see what I missed. I checked the kes.vkey, skey content values and I am sure they were correctly copied to generate the new node.cert file and the node.cert file generated was correctly copied to my block producer. Also, and I will check it again, the counter value on my air-gapped machine is +1 compared to my block producer. I never minted a block, the null value is correct for qKesNodeStateOperationalCertificateNumber.
I hesitated to open this topic on the forum as I tried many times to rotate the keys without luck.
Thx all.
@martin
I tried your script, but I have errors on the checkError and file_lock commands. I use 2 separated virtual machines having no connection between them. I am transferring the files using sftp manually.
@kirael
It’s the first time I am using your script. Your script is perfectly running fine. I am following the instructions and running manually the node cert creation. In between, the kes keys are copied using sftp to my air-gapped machine offline and the node cert is copied the same way to the node producer.
I think I might need help to check my setup.
But really, I don’t see what as changed that I can’t rotate the keys.
Thx to both of you.
Olivier
hard to say, but if file_lock throws an error, it looks like you’re not using it as the correct user. maybe you don’t have the rights to do a chmod? file_lock is just doing that, setting the file via chmod to 400
Thx for your answer.
No, it’s just command not found. I don’t know with which package these commands are coming. It seems that these commands are not installed on my running system. I am running as root, so no problem.
Can I bypass this step and just transfer the new created keys to my air-gapped offline machine and there run the other script to generate the node.cert? Then I will transfer the created node.cert manually using sftp?