Risk of losing "poor" validators due to TLS cert change in H1 CY25

I had some spare time left so I’ve decided to entertain an “xx Network version of micro-plastics scare”, namely a theory that TLS certificate renewal (which requires node restart) could be one of top reasons why the poor XX validators who can’t find the money to buy XX coins could be offlined despite their validators’ desire to not restart validation.

From that list, I took all the nodes whose certs expire in the first half of CY25.

|Tyq8arEUQdct7bLg7w6B0ANDGdM3hwD92RmAlzWW8wQC |2025-07-31|
|YXPB8bLYX2eZXzHGuOX2Fy/CqCY1gQA8iahs8OH73K0C |2025-07-23|
|znytNp5sswj3Zm74KVDBOdGnnejldhqvpcwDEIJZAKgC |2025-07-13|
|TYdRXFExpFaOLbpRXxnant4k5pBGRQgtvXSnhW5pg94C |2025-06-05|
|yGMd2oGg3mSIzu8Kn9fsWXfPy7NM6LiAeoSuQuxwCbgC |2025-04-16|
|rDTyz7wOqC1ksNHTCafufwLsVdwFst3pRxVlJl+DEnAC |2025-03-24|
|yHI49skrAyNMCnKaU/aAuepwnlED7XgR+I5xLEhAQ/cC |2025-01-08|
|8+TE9qZntPUbfI2Kr3NWMRvn+UWn2k4Cl3BwriGa1YkC |2025-01-06|

Then I looked at each.

Here’s what I found:

  • some are no longer validating, so not relevant.
  • the first validating is CERES, a sock-puppet node (more about that here)
  • the second is XXNPN#2, a node that blocks nominations and (just in case!) has a 29% percent commission. In other words, pool trash.
  • the third is ABERNATION-CA2, a 100-percenter validator.
  • the fourth is SISTNODE - apparently someone’s “sister’s” (at least application-wise) node who has been validator for years and - get this - has amassed a fortune of 1,084.33 XX in the form of validator stake!
  • the fifth and last still-active one is the ID-less 6YkoUSqjeb3dSi2WwHZzYKe75tsXdJM4oYMx8wntG77hotrK. Has a 15K XX validator stake and therefore at least until February or longer to get his act together. (This may be a sock-puppet node as well, but I didn’t dig deeper).

Fact check: False. Losing any of these validators would not be bad for the network and in any case, there’s just 5 of them that could disappear. There’s 17 nodes in Waiting, many of them with well over 15K XX in validator’s wallet.

So to summarize the ideas of your greatness :

  • Conclusion of nominate validators => being yourself a validator because no one on this earth is enough good for you or a so small number that’s useless to search and nominate them
  • Conclusion of validators who can be ejected soon => not important with your greatness you can run yourself many validators as required for keep this network up & running
  • Conclusion of validators than your ego not like because you’re jealous or whatever : ban and publishing their IPs/DNS for remove one layer of security of the network and discarding these IPs. This can cause a mess in a network of random rounds but whatever that’s not important than 6-10% message will not reach his destination.
  • What else for destroying the whole network ?
1 Like

First, “(which requires node restart)” is inaccurate.

The entire process is explained in great detail in the TLS Certificate Update Procedure & Form

TLDR;

1. Check whether the TLS certificates expire before 2033.
2. Generate new certificates.
3. Get and provide the new certificates.
4. Transfer the new gateway certificate to the node computer.
5. Transfer the new cmix certificate to the gateway computer.
6. Stop the xxnetwork-cmix and xxnetwork-gateway services.
7. Replace the existing certificates with the new certificates.
8. Start the xxnetwork-cmix and xxnetwork-gateway services after the chosen Scheduling Server restart.

As one can see from the synopsis of the update procedure there is no mention of having to stop validating, nor having to stop or start the xxnetwork-chain service.

Continue reading …

Updating the TLS Certificates used by the xxnetwork-cmix and xxnetwork-gateway processes does not require an operator to stop validating. It doesn’t even require the operator to stop the xxnetwork-chain process. Validators continue to validate while they wait for the Scheduling Server restart.

This is because the TLS Certificates are related to securing the connections of cMixx nodes, gateways and clients, and nothing to do with the blockchain.

An example of how validating has no dependency on cMixx, consider the XXFOUNDATION-BOOTNODEs. They …

  • do not run the xxnetwork-cmix or xxnetwork-gateway processes
  • have never registered on the cMixx network
  • do not have TLS Certificates

… and they remain validators on the blockchain.

1 Like

That’s what he said (I did doubt that may not be true, but didn’t verify).

Thanks for the correction!

In hindsight, the argument could have been dismissed without any checking :slight_smile: