I am trying to run a validator on the Baklava network. I have set up the technical infrastructure required, as per the documentation (Run Baklava Testnet Validator). However, I am facing issues while registering the accounts using celocli.
I am currently using celocli v3.0.2 and node v18.14.2.
The command “celocli account: balance” is working correctly, displaying the celo testnet balance, But when using the command: “celocli account: unlock $CELO_VALIDATOR_GROUP_ADDRESS”, I am receiving the following “error: account unlock with HTTP access is forbidden”.
Can anyone please help me resolve this error?
Hey @saif-3230, thanks for asking.
Celo nodes store private keys encrypted on disk with a password, and need to be “unlocked” before use. Private keys can be unlocked in two ways:
- By running the
celocli account:unlockcommand. Note that the node must have the “personal” RPC API enabled in order for this command to work.
- By setting the
--unlockflag when starting the node.
It is important to note that when a key is unlocked you need to be particularly careful about enabling access to the node’s RPC APIs.
Can you confirm that you are running your local node having the “personal” RPC API enabled?
From the docs, this is done by setting the
personal flag in
--http.api eth,net,web3,debug,admin,personal below:
Start your Accounts node
Next, we’ll run a node on your local machine so that we can use these accounts to lock CELO and authorize the keys needed to run your validator.
To run the node:
# On your local machine mkdir celo-accounts-node cd celo-accounts-node docker run --name celo-accounts -it --restart always --stop-timeout 300 -p 127.0.0.1:8545:8545 -v $PWD:/root/.celo $CELO_IMAGE --verbosity 3 --syncmode full --http --http.addr 0.0.0.0 --http.api eth,net,web3,debug,admin,personal --baklava --light.serve 0 --datadir /root/.celo
Small note, the docs highlight that you should be particularly careful when running the command above.
Security: The command line above includes the parameter
--http.addr 0.0.0.0which makes the Celo Blockchain software listen for incoming RPC requests on all network adaptors. Exercise extreme caution in doing this when running outside Docker, as it means that any unlocked accounts and their funds may be accessed from other machines on the Internet. In the context of running a Docker container on your local machine, this together with the
docker -p 127.0.0.1:localport:containerportflags allows you to make RPC calls from outside the container, i.e from your local host, but not from outside your machine. Read more about Docker Networking here.
Let me know if that helps!
It looks like the docs are a little out of date… you need to add the flag
--allow-insecure-unlock to your node command line options, to allow the cli to unlock accounts whose keys are stored locally on the node.
As Arthur highlights, this is only safe to do on a testnet like Baklava or when you’re absolutely sure your node is not accessible to the outside world!
Let us know how you get on
Thanks for your response.
I have enabled the “personal” flag while starting my local node, as indicated in the official documentation. But I am still facing the same error.
I agree the official docs are a bit outdated and need an update.
Can I add the --allow-insecure-unlock flag to my existing local node running using docker, or should I run a new node altogether? It would be very helpful if you could guide me with this process ( As I am new to the docker ecosystem).
The local node is currently running on dedicated hardware and is not accessible to the others.
Hey @tim ,
Using the --allow-insecure-unlock worked for me. Although, I had to run a new docker container with the flag.
Thank you very much for your guidance !! Have a nice weekend.
Appreciate you following up here @saif-3230. Glad this worked for you