From fb0e293e2dd0b5861be35d890bb8476e6e72c864 Mon Sep 17 00:00:00 2001 From: Scott Reimers Date: Thu, 23 Apr 2026 02:04:55 -0400 Subject: [PATCH] Fix DEFAULT_ANCHOR: use post-rotation network key (ab2b72...) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The anchor rotated its network key on 2026-04-22 22:57 UTC during the v0.6.1 upgrade (keeping the old key as its posting identity). The DEFAULT_ANCHOR constant was never updated, so every v0.6.1 and v0.6.2 client has been pinning the old cert identity when connecting, producing a TLS "UnknownIssuer" handshake error. Symptom: fresh clients can't bootstrap; existing installs drop when the anchor's old connection times out and can't re-handshake. Verified: rebuilt CLI with the new constant successfully connects to the anchor, completes the initial exchange, registers as a mesh peer, and runs a pull sync. Note: `DEFAULT_ANCHOR_POSTING_ID` in lib.rs still holds the OLD key (17af14...) — that's correct, it's the anchor's posting identity used to verify signed announcements, distinct from the network key used for QUIC cert verification. --- crates/core/src/node.rs | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/crates/core/src/node.rs b/crates/core/src/node.rs index 104e441..18875ad 100644 --- a/crates/core/src/node.rs +++ b/crates/core/src/node.rs @@ -19,7 +19,17 @@ use crate::types::{ }; /// Built-in default anchor — always available as a bootstrap fallback. -const DEFAULT_ANCHOR: &str = "17af141956ae0b50dc1cb9248cadf5fca371ea2d8531ac9add3c03caffc61441@itsgoin.net:4433"; +/// Bootstrap anchor connect string. The NodeId here is the anchor's CURRENT +/// network identity (used for QUIC handshake / cert verification). It was +/// rotated from `17af14...` to `ab2b72...` by v0.6.1's upgrade path on the +/// anchor host at 2026-04-22 22:57 UTC. The old key became the anchor's +/// posting identity (see `DEFAULT_ANCHOR_POSTING_ID` in lib.rs) and is +/// used to verify signed announcements; it is NOT used for connection +/// verification. +/// +/// Clients compiled against the pre-rotation value fail the TLS handshake +/// with "UnknownIssuer" because they pin the wrong cert identity. +const DEFAULT_ANCHOR: &str = "ab2b7258ef0b75b2c6ee8bf6595232055f6199d584d3c0fc10b15a1ed549aa13@itsgoin.net:4433"; /// A distsoc node: ties together identity, storage, and networking pub struct Node {