Is there any way I could verify if my just rotated KES is valid?
With the help of text view of cbors on cold.counter and node.cert files?
cardano-cli text-view decode-cbor --in-file node.cert
My main goal is to find out whether or not I am having a KES issue: InvalidKesSignatureOCERT before the node is selected as a slot leader.
Sep 28 02:32:44 wladyslawa bash[1480600]: [wladysla:cardano.node.Forge:Error:141] [2021-09-28 01:32:44.03 UTC] fromList [(“val”,Object (fromList [(“kind”,String “TraceForgedInvalidBlock”),(“reason”,Object (fromList [(“error”,Object (fromList [(“error”,Object (fromList [(“failures”,Array [Object (fromList [(“error”,String “Reject”),(“kind”,String “InvalidKesSignatureOCERT”),(“opCertExpectedKESEvolutions”,String “1”),(“opCertKESCurrentPeriod”,String “318”),(“opCertKESStartPeriod”,String “317”)])]),(“kind”,String “ChainTransitionError”)])),(“kind”,String “HeaderProtocolError”)])),(“kind”,String “ValidationError”)])),(“slot”,Number 4.1226473e7)])),(“credentials”,String “Cardano”)]
Would also love to have more insight into this.
We failed to mint our first block because of this, but I can’t verify our opcert because we haven’t minted a block before…
This is happens because each time when the KES are rotated the node.counter or cold.counter is refreshed ( if u will open the file before and after u will see that the counter is incrementing by 1 each time when the KES are rotated) but people will not bkp the new file generated and next time they use the same/old file (and the new counter will be < than the current counter used)
Question on what the procedure is if the counter does not get backed up? Is it safe to say that you know the current counter is 9 and next counter is supposed to be 10, then manually edit a file with a 10 in it?
Yes, as long the counter is > than the last time used (adapools.org → blocks) is fine. The counter can be edited manually inside the cold.counter before to generate the KES
Cheers,
Good to know! I’m doing some house cleaning and its good to know what some potential issues and resolutions might be. TYVM
Hi Alex,
This won’t be the case anymore with version 1.35 (if I understand correctly)
In the release notes :
" * Restricted opcert issue number increment, as of Babbage. Previously op cert issue numbers could be anything, provided it was larger than previously used numbers. Now the op cert counter must be exactly one more than the previously used op cert."
Now as a SPO which never validated any block (yet) I wonder if I must generate the KES keys with the counter set to one each time I rotate until I finally get a block or can I increment each time…?
Also if let’s say my counter is at 3 but never validated any block, must I regenerate my KES key with the counter to one when upgrading to 1.35 …?
- Restricted opcert issue number increment, as of Babbage. Previously op cert issue numbers could be anything, provided it was larger than previously used numbers. Now the op cert counter must be exactly one more than the previously used op cert."
Exactly
Now as a SPO which never validated any block (yet) I wonder if I must generate the KES keys with the counter set to one each time I rotate until I finally get a block or can I increment each time…?
good question, I think 1 should be fine if u didin’t created any blocks
Also if let’s say my counter is at 3 but never validated any block, must I regenerate my KES key with the counter to one when upgrading to 1.35 …?
Nope, keep the current increment number
Cheers,
1 Like