Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Validator api requires ssl keystore to be defined

See original GitHub issue


[Detailed description of the problem and the impact it has] [Please be as specific as possible] Starting teku in “web3signer mode” with validator API enabled (and all the other required flags) result in an error if not tls keys are defined (probably with --validators-external-signer-keystore)

However starting teku in “web3signer mode” without the validator API enabled and without the tls keys setup, is allowed.

Steps to Reproduce (Bug)

Start Teku with

/opt/teku/bin/teku validator-client --network=auto --data-base-path=/opt/teku/data \
     --beacon-node-api-endpoint=%(ENV_BEACON_NODE_ADDR)s \
     --validators-external-signer-url=%(ENV_WEB3SIGNER_API)s --log-destination=CONSOLE \ 
     --metrics-enabled=true --metrics-interface --metrics-port 8008 \ 
     --metrics-host-allowlist=* --validator-api-enabled=true \ 
     --validator-api-interface= --validator-api-port=%(ENV_VALIDATOR_PORT)s \ 
     --validator-api-host-allowlist= %(ENV_EXTRA_OPTS)s

Expected behavior: [What you expect to happen] Allow starting teku in web3signer mode with validator API enabled without tls configured Actual behavior: [What actually happens] Error

Validator api requires ssl keystore to be defined

Frequency: [How regularly does it occur?] On startup

Versions (Add all that apply)

  • Software version: [teku --version or look for log lines starting with Teku version:] 22.4.0
  • Java version: [java -version] official docker image
  • OS Name & Version: [cat /etc/*release] official docker image
  • Docker Version: [docker version] 20.10.2
  • Cloud VM, type, size: [Amazon Web Services I3-large]

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:13 (8 by maintainers)

github_iconTop GitHub Comments

ajsuttoncommented, Apr 29, 2022

Actually Enrico has a good point too I think the cert format is probably not what Teku needs either. The instructions for creating a keystore for use with web3signer also work for this:

ajsuttoncommented, Apr 29, 2022

It’s the password.txt that’s binary which is specified as:


according to the link you gave. It needs to be valid UTF-8. The failed to start Javalin is the issue we need to get rid of, though for me I get a big exception stack trace earlier which gives a clear message about what’s wrong:

2022-04-29 08:54:14.279 ERROR - Failed to read password file for validator api keystore
java.nio.charset.MalformedInputException: Input length = 3
at java.lang.String.throwMalformed( ~[?:?]
at java.lang.String.decodeUTF8_UTF16( ~[?:?]
at java.lang.String.newStringUTF8NoRepl( ~[?:?]
at java.lang.String.newStringNoRepl1( ~[?:?]
at java.lang.String.newStringNoRepl( ~[?:?]

The reason you’re getting no response is an artefact of using Docker - Teku isn’t listening on the port at all so it’s not even accepting the connection, but Docker’s port forwarding does accept the connection then finds it can’t connect the other end and just does nothing with it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

SSL Keystore Validation - Oracle Communities
I have a question on keystore validatioan. I am currently validating on particular keystore available on my machine.. I have set the system ......
Read more >
Building a keystore file to be used with an HTTPS (or ...
As the client requires the keystore file with the registered certification from the server (for encryption), you may search for the server certificate...
Read more >
HTTPS certificate validation fails when using a trustStore
This keyStore will be used as the default by the JSSE (Java Secure Socket Extension) by default to validate SSL handshakes. The
Read more >
Enabling SSL for the RESTful APIs using an external certificate
Configure SSL for the web servers in your production environment, using a properly chained certificate from a trusted certificate authority (CA).
Read more >
Keystores and Truststores | Apigee Edge
In one-way TLS, a truststore is not required if the cert is signed by a valid CA. If the certificate received by a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found