teku: Invalid SNI between web3signer and teku client

Description

With the latest version of Teku client, the validator can’t communicate in a proper way with the remote signer. We have the client and the web3signer in the same machine but in separate dockers containers. There are a warning message in the client and an error message in the web3signer. I have created the certificates with the hostname we use but that does not solve the problem.

Steps to Reproduce (Bug)

[Please be as specific as possible] This is the entrypoint we use for the web3signer https://github.com/dappnode/DAppNodePackage-web3signer-prater/blob/master/web3signer/entrypoint.sh This is the entrypoint of the teku client: https://github.com/dappnode/DAppNodePackage-teku-prater/blob/master/validator/entrypoint.sh

–validator-api-keystore-file=/cert/teku_client_keystore.p12 \ this certificate i tried to create with the next command to solve the issue:

```keytool -genkeypair -keystore teku_client_keystore.p12 -storetype PKCS12 -storepass changeit -alias web3signer -keyalg RSA -keysize 2048 -validity 109500 -dname "CN=localhost, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" -ext san=dns:web3signer.web3signer-prater.dappnode,ip:127.0.0.1```

Adding the hostname web3signer.web3signer-prater

Expected behaviour: [What you expect to happen] The validator connects with the web3signer and works. Actual behaviour: [What actually happens] In the validator service logs appears this warning

2022-12-16 06:46:01.731 WARN  - handleException /eth/v1/remotekeys org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI

The validator stopped of working. In the websigner logs you can see:

<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 400 Invalid SNI</title>
</head>
<body><h2>HTTP ERROR 400 Invalid SNI</h2>
<table>
<tr><th>URI:</th><td>/eth/v1/remotekeys</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Invalid SNI</td></tr>
<tr><th>SERVLET:</th><td>-</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI</td></tr>
</table>
<h3>Caused by:</h3><pre>org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
	at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:267)
	at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:208)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
	at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:139)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:933)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1077)
	at java.base/java.lang.Thread.run(Unknown Source)
</pre>
<hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 11.0.12</a><hr/>

</body>
</html>, HTTP code 400

Frequency: [How regularly does it occur?]

Versions (Add all that apply)

  • Software version: [teku --version or look for log lines starting with Teku version:]
  • Java version: [java -version]
  • OS Name & Version: [cat /etc/*release]
  • Docker Version: [docker version]
  • Web3signer: v22.11.0
  • Teku: v22.12.0

Extra: I have tried to create the certificates with the followed commands according to the teku documentation: keytool -genkeypair -keystore teku_client_keystore.p12 -storetype PKCS12 -storepass changeit -alias web3signer -keyalg RSA -keysize 2048 -validity 109500 -dname "CN=localhost, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" -ext san=dns:web3signer.web3signer-prater.dappnode,ip:127.0.0.1 Adding the hostname web3signer.web3signer-prater

In this thread https://github.com/ConsenSys/teku/issues/5386 was discussed how to connect it in dappnode environment.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (7 by maintainers)

Most upvoted comments

I think I already fixed the issue. It can be closed. The proper command was: keytool -genkeypair -keystore teku_client_keystore.p12 -storetype PKCS12 -storepass changeit -alias localhost -keyalg RSA -keysize 2048 -validity 109500 -dname "CN=validator.teku-prater.dappnode"

+2
dsimog01 on Jan 26, 2023
Read more comments on GitHub
← teku: Error: Produced invalid attestation for slot N: Signature is invalid
teku: Native memory excessive consumption and native memory leaks →