Celocli account unlock error

Hi team,
I am trying to run a validator on the Baklava network. I have set up the technical infrastructure required, as per the documentation (Run Baklava Testnet Validator). However, I am facing issues while registering the accounts using celocli.
I am currently using celocli v3.0.2 and node v18.14.2.
The command “celocli account: balance” is working correctly, displaying the celo testnet balance, But when using the command: “celocli account: unlock $CELO_VALIDATOR_GROUP_ADDRESS”, I am receiving the following “error: account unlock with HTTP access is forbidden”.
Can anyone please help me resolve this error?

Hey @saif-3230, thanks for asking.

I’m using this this StackOverflow question and this section in the docs:

Unlocking

Celo nodes store private keys encrypted on disk with a password, and need to be “unlocked” before use. Private keys can be unlocked in two ways:

  1. By running the celocli account:unlock command. Note that the node must have the “personal” RPC API enabled in order for this command to work.
  2. By setting the --unlock flag when starting the node.

It is important to note that when a key is unlocked you need to be particularly careful about enabling access to the node’s RPC APIs.

Can you confirm that you are running your local node having the “personal” RPC API enabled?

From the docs, this is done by setting the personal flag in --http.api eth,net,web3,debug,admin,personal below:

Start your Accounts node

Next, we’ll run a node on your local machine so that we can use these accounts to lock CELO and authorize the keys needed to run your validator.

To run the node:

# On your local machine
mkdir celo-accounts-node
cd celo-accounts-node
docker run --name celo-accounts -it --restart always --stop-timeout 300 -p 127.0.0.1:8545:8545 -v $PWD:/root/.celo $CELO_IMAGE --verbosity 3 --syncmode full --http --http.addr 0.0.0.0 --http.api eth,net,web3,debug,admin,personal --baklava --light.serve 0 --datadir /root/.celo

Small note, the docs highlight that you should be particularly careful when running the command above.

Security: The command line above includes the parameter --http.addr 0.0.0.0 which makes the Celo Blockchain software listen for incoming RPC requests on all network adaptors. Exercise extreme caution in doing this when running outside Docker, as it means that any unlocked accounts and their funds may be accessed from other machines on the Internet. In the context of running a Docker container on your local machine, this together with the docker -p 127.0.0.1:localport:containerport flags allows you to make RPC calls from outside the container, i.e from your local host, but not from outside your machine. Read more about Docker Networking here.

Let me know if that helps!

It looks like the docs are a little out of date… you need to add the flag --allow-insecure-unlock to your node command line options, to allow the cli to unlock accounts whose keys are stored locally on the node.

As Arthur highlights, this is only safe to do on a testnet like Baklava or when you’re absolutely sure your node is not accessible to the outside world!

Let us know how you get on

Hey @arthurgousset
Thanks for your response.
I have enabled the “personal” flag while starting my local node, as indicated in the official documentation. But I am still facing the same error.

I agree the official docs are a bit outdated and need an update.
Can I add the --allow-insecure-unlock flag to my existing local node running using docker, or should I run a new node altogether? It would be very helpful if you could guide me with this process ( As I am new to the docker ecosystem).
The local node is currently running on dedicated hardware and is not accessible to the others.

Hey @tim ,
Using the --allow-insecure-unlock worked for me. Although, I had to run a new docker container with the flag.
Thank you very much for your guidance !! Have a nice weekend. :slightly_smiling_face:

2 Likes

Appreciate you following up here @saif-3230. Glad this worked for you :+1:

1 Like