retry add onion after tor's controller closed connection #26228

issue nyxnor opened this issue on October 2, 2022
  1. nyxnor commented at 10:35 PM on October 2, 2022: none

    <!-- This issue tracker is only for technical issues related to Bitcoin Core. General bitcoin questions and/or support requests are best directed to the Bitcoin StackExchange at https://bitcoin.stackexchange.com. For reporting security issues, please read instructions at https://bitcoincore.org/en/contact/. If the node is "stuck" during sync or giving "block checksum mismatch" errors, please ensure your hardware is stable by running memtest and observe CPU temperature with a load-test tool such as linpack before creating an issue! -->

    <!-- Describe the issue -->

    I am running Bitcoind on Qubes-Whonix. Whonix-Gateway is where tor resides, and every tor controller's command made by Whonix-Workstation to Whonix-Gateway is filtered by a proxy called onion-grater (upstream development is made by Tails OS)

    From this point on I will be referring to tor's controller simply by "control" or "controller".

    If the control connection is closed by restarting onion-grater to apply new rules (even not regarding the bitcoind.yml) file, bitcoind will remove the current onion and won't be able to set it as address again.

    RemoveLocal(myonion.onion:8333)
tor: No supported authentication method

    and bitcoin-cli -netinfo

    Local addresses: n/a

    and of course none of my nodes listening to this address will continue working.

    ADD_ONION command works the first time but not the second. The problem occurs because bitcoind does not give time for the controller to restart the second time, so the authentication is not "available yet".

    In fact, tor is not being reloaded or restarted, only the proxy, which is what bitcoind sees as the controller.

    This happens because I am using bitcoind tor controller feature to send ADD_ONION. If I set the onion service manually on the gateway, I wouldn't have this problem, but then the problem would be:

    • it wouldn't be pragmatically deleted, although I am rewriting it with Flag=DiscardPK anyway
    • it would stay as a file on the Gateway and the onion address would need to be manually inserted into the bitcoin.conf

    Expected behavior

    <!--- What behavior did you expect? -->

    I expect that after bitcoind can't authenticate to the controller, it tries again after some time. This way, I can restart my controller without needing to restart bitcoind for it to get a onion listening address again.

    Actual behavior

    <!--- What was the actual behavior (provide screenshots if the issue is GUI-related)? -->

    Bitcoind removes current listening onion hostname and not retry to authenticate to the controller.

    To reproduce

    <!--- How reliably can you reproduce the issue, what are the steps to do so? -->

    This is difficult to reproduce on normal systems. First, Qubes may not interfere, so you could try to reproduce on Whonix KVM or Virtualbox or Tails OS (probably).

    If you can't test on that setup, I would try to simple close the controller connection on a normal system and then see what bitcoind does to the listening onion address.

    Also you need to add the bitcoind onion-grater profile, I don't know if Tails has, but for Whonix, I am using https://github.com/Whonix/onion-grater/blob/9addd1d6dd9671b18e5415a196b92d7f6ee5846c/usr/share/doc/onion-grater-merger/examples/40_bitcoind.yml

    It is not the current Whonix onion-grater profile but it is the correct one and will be merged upstream soon.

    If that is the case, add that profile to /usr/local/etc/onion-grater-merger.d/40_bitcoind.yml

    Also set in the bitcoin.conf the onion binding to bind=0.0.0.0:8334=onion and not 127.0.0.1. This makes the service listen on the Whonix internal interface and does not affect security. Restart bitcoind to apply changes.

    You will also have to open the port on the Whonix-Workstation firewall.

    $ sudo mkdir -p /usr/local/etc/whonix_firewall.d
$ echo "EXTERNAL_OPEN_PORTS+=" 8334 " | tee -a /usr/local/etc/whonix_firewall.d/50_user.conf`
$ sudo whonix_firewall

    To view onion-grater logs, you need to enable debug mode on the Whonix-Gateway:

    $ echo "[Service]
## Clear onion-grater default file '/lib/systemd/system/onion-grater.service'.
ExecStart=
## Enable debug mode.
ExecStart=/usr/lib/onion-grater --listen-interface eth1 --debug
" | tee /usr/lib/systemd/system/onion-grater.service.d/50_user.conf
$ sudo systemctl daemon-reload
$ sudo systemctl restart onion-grater

    Then after adding the profile, enabling onion-grater debug mode, restarting onion-grater and bitcoind, test if the address is reachable externally. Use the bitcoid option connect=address.onion, so you are sure it is connecting.

    If it is, restart onion-grater.

    $ sudo systemctl restart onion-grater

    On the bitcoin debug.logs, you should see the same error I saw above about removing onion address and not able to authenticate to the controller.

    But that is not entirely correct, because I can issue an ADD_ONION manually and it will accept, but bitcoind does not try to issue ADD_ONION a second time.

    host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): -> PROTOCOLINFO 1
host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250-PROTOCOLINFO 1
host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250-AUTH METHODS=NULL
host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250-VERSION Tor="0.4.7.10"
host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250 OK
host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): -> AUTHENTICATE
host onion-grater[149562]: 10.137.0.31:54044 (filter: 30_autogenerated): <- 250 OK

    The controller actually lets bitcoind authenticate, as seen from the onion-grater logs above. But I don't understand why bitcoind says it can't authenticate. The ip doesn't matter, it is internal ip.

    What you should expect from onion-grater logs is the following:

    host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): -> AUTHENTICATE
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): <- 250 OK
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): -> ADD_ONION NEW:ED25519-V3 Port=8333,0.0.0.0:8334
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): rewrote command:
host onion-grater[149562]:     ADD_ONION NEW:ED25519-V3 Port=8333,0.0.0.0:8334
host onion-grater[149562]: to:
host onion-grater[149562]:     ADD_ONION NEW:ED25519-V3 Port=8333,10.137.0.31:8334 Flags=DiscardPK
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): <- (multi-line)
host onion-grater[149562]:     250-ServiceID=myonionhostnamewithoutonion
host onion-grater[149562]:     250 OK
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): -> QUIT
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated): <- 250 closing connection
host onion-grater[149562]: 10.137.0.31:43566 (filter: 30_autogenerated) disconnected: client quit

    You could try on Whonix with tor-ctrl to authenticate after restarting onion-grater and it will work:

    $ tor-ctrl ADD_ONION NEW:ED25519-V3 Port=8333,0.0.0.0:8334

    and it will authenticate.

    But for some unknown reason bitcoind does not reauthenticate to the controller.

    I understand that once the contoller connection closes, the commands send to the controller are not valid anymore. But bitcoind should be able to reauthenticate once it loses connection.

    System information

    <!-- What version of Bitcoin Core are you using, where did you get it (website, self-compiled, etc)? -->

    <!-- What type of machine are you observing the error on (OS/CPU and disk type)? -->

    <!-- GUI-related issue? What is your operating system and its version? If Linux, what is your desktop environment and graphical shell? -->

    <!-- Any extra information that might be useful in the debugging process. -->

    <!--- This is normally the contents of a `debug.log` or `config.log` file. Raw text or a link to a pastebin type site are preferred. -->

    System information was already described above. I understand this may be difficult debug because it requires a system with onion-grater. But it does not rely on Whonix or Tails or onion-grater package to fix this, as they are only restarting to read the new configuration, but bitcoind understand that as a connection that must be closed forever.

    If you read all this and is open to make bitcoind retry to authenticate cleanly, I am open to help debug and instruct how to reproduce.

  2. nyxnor added the label Bug on Oct 2, 2022
  3. nyxnor commented at 11:52 AM on October 3, 2022: none

    I restarted the controller proxy several times, onion-grater is consistent with its replies or ServiceID, but bitcoind is not, it says authentication not supported even when the reply contained the ServiceID. Each of the spaced lines are a time I restarted the tor controller's proxy:

    tor: Got service ID OLDONION, advertising service OLDONION.onion:8333
AddLocal(OLDONION.onion:8333,4)

RemoveLocal(OLDONION.onion:8333)
tor: No supported authentication method 

tor: No supported authentication method

tor: No supported authentication method

tor: Got service ID ANOTHERONION, advertising service ANOTHERONION.onion:8333
AddLocal(ANOTHERONION.onion:8333,4)

    And for some reason, on the last it did work. I was solely restarting onion-grater, sometimes bitcoind can't authenticate, sometimes it can, which is very strange.

  4. nyxnor commented at 12:38 PM on October 3, 2022: none

    Enabled tor debugging for bitcoind:

    tor: Connected to Tor version 0.4.7.10
tor: Supported authentication method: NULL
tor: Using NULL authentication
tor: Authentication successful
tor: ADD_ONION successful
tor: Got service ID OLDONION, advertising service OLDONION.onion:8333

    restarting the controller proxy

    tor: End of stream
RemoveLocal(OLDONION.onion:8333)
tor: Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
tor: Successfully connected!
tor: End of stream
tor: Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
tor: Successfully connected!
tor: Connected to Tor version 0.4.7.10
tor: Supported authentication method: NULL
tor: Using NULL authentication
tor: No supported authentication method

    and controller logs:

    -> PROTOCOLINFO 1
<- 250-PROTOCOLINFO 1
<- 250-AUTH METHODS=NULL
<- 250-VERSION Tor="0.4.7.10"
<- 250 OK
-> AUTHENTICATE
<- 250 OK

    -> client commands to the controller <- controller replies to the client

    You can see bitcoind tries to use the NULL method that doesn't require a pass or cookie, and the controller let's bitcoind authenticate, but bitcoind does not

    Sometimes bitcoind understand it can authenticate (Authentication successful), but then logs No supported authentication method, not creating the onion.

    tor: Error connecting to Tor control socket
tor: Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
tor: Successfully connected!
tor: Error connecting to Tor control socket
tor: Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
tor: Successfully connected!
tor: Authentication successful
tor: No supported authentication method

    and by some change (which appear to be random), sometimes bitcoind gets the onion and uses it:

    tor: Connected to Tor version 0.4.7.10
tor: Supported authentication method: NULL
tor: Using NULL authentication
tor: Authentication successful
tor: ADD_ONION successful
tor: Got service ID NEWONION, advertising service NEWONION.onion:8333

    TLDR:

    Bitcoind always can get the onion after it is restarted. If the onion is no long available because the controller connection closes for a second, then when it is available again, bitcoind can't get the onion hostname (ServiceID) reliably, sometimes it can, sometimes it can't and the controller is always replying, bitcoind doesn't get it sometimes for some reason.

  5. bitcoin deleted a comment on Oct 4, 2022
  6. willcl-ark commented at 9:11 AM on September 15, 2023: member

    @nyxnor I may be misunderstanding something here but I suspect this is not a Bitcoin Core issue and seems likely related to your onion grater or whonix setup...

    Using Ubuntu, I can trivially run Bitcoin Core and wait for it to connect to tor daemon, then stop Tor, wait for disconnection, then start Tor and Bitcoin Core will re-connect (and re-authenticate) to it (using SAFECOOKIE) very happily, time after time.

    2023-09-15T08:57:57Z [tor] Get SOCKS port command yielded 127.0.0.1:9050
2023-09-15T08:57:57Z [tor] Configuring onion proxy for 127.0.0.1:9050
2023-09-15T08:57:57Z [tor] ADD_ONION successful
2023-09-15T08:57:57Z [tor] Got service ID bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid, advertising service bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid.onion:18444
2023-09-15T08:57:57Z [tor] Cached service private key to /home/will/.bitcoin/regtest/onion_v3_private_key
2023-09-15T08:57:57Z AddLocal(bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid.onion:18444,4)

# stop tor service

2023-09-15T08:58:17Z [tor] End of stream
2023-09-15T08:58:17Z RemoveLocal(bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid.onion:18444)
2023-09-15T08:58:17Z [tor] Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
2023-09-15T08:58:18Z [tor] Error connecting to Tor control socket
2023-09-15T08:58:18Z [tor] Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
2023-09-15T08:58:19Z [tor] Error connecting to Tor control socket
2023-09-15T08:58:19Z [tor] Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
2023-09-15T08:58:22Z [tor] Error connecting to Tor control socket
2023-09-15T08:58:22Z [tor] Not connected to Tor control port 127.0.0.1:9051, trying to reconnect
2023-09-15T08:58:25Z [tor] Error connecting to Tor control socket
2023-09-15T08:58:25Z [tor] Not connected to Tor control port 127.0.0.1:9051, trying to reconnect

<snip>
# start tor again

2023-09-15T08:59:30Z [tor] Successfully connected!
2023-09-15T08:59:30Z [tor] Connected to Tor version 0.4.8.5
2023-09-15T08:59:30Z [tor] Supported authentication method: COOKIE
2023-09-15T08:59:30Z [tor] Supported authentication method: SAFECOOKIE
2023-09-15T08:59:30Z [tor] Using SAFECOOKIE authentication, reading cookie authentication from /run/tor/control.authcookie
2023-09-15T08:59:30Z [tor] SAFECOOKIE authentication challenge successful
2023-09-15T08:59:30Z [tor] AUTHCHALLENGE ServerHash de3ef6a0b59f44a31ff8e58f3380bc77f65c7a36fb6cc69767801b72067a6245 ServerNonce 297510897a4a8667adbcc83e08e9e06e988e37a7bef18f4f2b4f85ec90b78d50
2023-09-15T08:59:30Z [tor] Authentication successful
2023-09-15T08:59:30Z [tor] Get SOCKS port command yielded 127.0.0.1:9050
2023-09-15T08:59:30Z [tor] Configuring onion proxy for 127.0.0.1:9050
2023-09-15T08:59:30Z [tor] ADD_ONION successful
2023-09-15T08:59:30Z [tor] Got service ID bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid, advertising service bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid.onion:18444
2023-09-15T08:59:30Z [tor] Cached service private key to /home/will/.bitcoin/regtest/onion_v3_private_key
2023-09-15T08:59:30Z AddLocal(bwralcqq7fzxatchm66rhtk5fmtd6gcrib2vhz3wmetzidmi2vzx2vid.onion:18444,4)

    What version of Bitcoin Core were you using out of interest, ? I notice I have a slightly newer version or Tor than you, but I doubt that is the issue here. Also there have been a pretty minimal number of changes to torcontroller.cpp since you first posted this, so I don't think anything has changed on the Bitcoin Core side:

    $ git log --pretty=oneline --after="2022-10-02" -- src/torcontrol.cpp
9a84200cfc994eebf38c46919b20e0c0261799ae doc, refactor: Changing -torcontrol help to specify that a default port is used
fa32af22b323e7c58b6b20af6517f4795a72cdc5 Replace LocaleIndependentAtoi with ToIntegral
faab76c1c01e6d3fff8ac1bc71baeecd8846dc32 iwyu on torcontrol
fa0a60dd93e4485c1f62ffcc87fa9e6b195ce795 Remove unused boost signals2 from torcontrol
32e2ffc39374f61bb2435da507f285459985df9e Remove the syscall sandbox
34bcdfc6a65de906c65edccdd96fe15219081cd2 p2p, refactor: return vector/optional<CService> in `Lookup`
be55f545d53d44fdcf2d8ae802e9eae551d120c6 move-only: Extract common/args and common/config.cpp from util/system
35fbc972082eca0fc848fba77360ff35f1ba69e1 Merge bitcoin/bitcoin#25619: net: avoid overriding non-virtual ToString() in CService and use better naming
96ee992ac3535848e2dc717bf284339badd40dcb clang-tidy: Fix `modernize-use-default-member-init` in headers
306ccd4927a2efe325c8d84be1bdb79edeb29b04 scripted-diff: Bump copyright headers
96c791dd20fea54c17d224000dee677bc158f66a net: remove CService::ToString() use ToStringAddrPort() instead
043b9de59aec88ae5e29daac7dc2a8b51a9414ce scripted-diff: rename ToStringIP[Port]() to ToStringAddr[Port]()
  7. willcl-ark commented at 4:01 PM on September 21, 2023: member

    The problem is not easily reproducible.

    Please open a new issue (or leave a comment in here if you want this re-opened) if you experience the problem again.

  8. willcl-ark closed this on Sep 21, 2023
  9. bitcoin locked this on Sep 20, 2024
Contributors
nyxnorwillcl-ark
Labels
Bug
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-17 09:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me