Skip to content

Instantly share code, notes, and snippets.

@usmansaleem

usmansaleem/web3signer_docker_tls.md

Last active November 10, 2021 06:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save usmansaleem/337de49d978b52138ad2cdfdf13c3a1f to your computer and use it in GitHub Desktop.
Save usmansaleem/337de49d978b52138ad2cdfdf13c3a1f to your computer and use it in GitHub Desktop.
Download ZIP
Running web3signer in docker with TLS enabled
Raw
web3signer_docker_tls.md

Self signed certificate in PKCS12 keystore

Keystore is created using JDK's keytool command (OpenSSL can be used as well). First keystore is required for Web3Signer, second for client (such as Teku or curl). Pay special attention to specify CN for the client keystore/certificate as it is required by knownClients file in Web3Signer.

keytool -genkeypair -keystore web3signer_keystore.p12 -storetype PKCS12 -storepass MY_PASSWORD -alias SOME_ALIAS \
-keyalg RSA -keysize 2048 -validity 700 -dname "CN=localhost, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" \
-ext san=dns:localhost,ip:127.0.0.1

keytool -genkeypair -keystore client_keystore.p12 -storetype PKCS12 -storepass MY_PASSWORD -alias SOME_ALIAS \
-keyalg RSA -keysize 2048 -validity 700 -dname "CN=client, OU=PegaSys, O=ConsenSys, L=Brisbane, ST=QLD, C=AU" \
-ext san=dns:localhost,ip:127.0.0.1

Obtain client certificate sha-256 fingerprint to be used in knownClients file later on.

> keytool -list -v -keystore client_keystore.p12 -storetype PKCS12 -storepass MY_PASSWORD

...
Certificate fingerprints:
	 SHA1: 12:CA:86:0E:FE:BF:49:BD:AE:8C:C5:7F:2F:C3:48:3F:DA:EC:E2:9D
	 SHA256: CE:75:50:F1:09:C6:7B:2A:E0:C6:E5:61:75:27:7A:DC:F9:D4:52:57:39:D6:91:4A:E4:84:74:0C:8E:89:B4:E2
...

docker compose file

version: "3.9"
   
services:
  web3signer:
    image: consensys/web3signer:develop
    command: --config-file=/var/config/config.yaml eth2
    volumes:
      - ./config:/var/config
    ports:
      - "9000:9000"

web3signer config yaml file (placed in ./config - fix paths if required)

http-listen-host: "0.0.0.0"
http-listen-port: 9000
http-host-allowlist: "*"

key-store-path: /var/config/keys

# tls options
tls-keystore-file: /var/config/web3signer_keystore.p12 
tls-keystore-password-file: /var/config/password.txt 
tls-known-clients-file: /var/config/knownClients.txt
# tls-allow-any-client: true

# eth2 subcommand options
eth2.slashing-protection-enabled: false

knownClients.txt (Use Common Name CN and sha-256 fingerprint of client's TLS certificate)

client CE:75:50:F1:09:C6:7B:2A:E0:C6:E5:61:75:27:7A:DC:F9:D4:52:57:39:D6:91:4A:E4:84:74:0C:8E:89:B4:E2

docker compose up

docker compose up

...
docker_test-web3signer-1  | 2021-11-10 01:03:56.177+00:00 | pool-2-thread-1 | INFO  | SignerLoader | Signer configuration metadata files read in memory 2 in 00:00:00.022
docker_test-web3signer-1  | 2021-11-10 01:03:56.183+00:00 | ForkJoinPool-1-worker-3 | INFO  | SignerLoader | Parsing configuration metadata files
docker_test-web3signer-1  | 2021-11-10 01:03:58.201+00:00 | ForkJoinPool-1-worker-3 | INFO  | BLS | BLS: loaded BLST library
docker_test-web3signer-1  | 2021-11-10 01:03:59.083+00:00 | ForkJoinPool-1-worker-3 | INFO  | SignerLoader | Total configuration metadata files processed: 2
docker_test-web3signer-1  | 2021-11-10 01:03:59.083+00:00 | ForkJoinPool-1-worker-3 | INFO  | SignerLoader | Total signers loaded from configuration files: 2 in 00:00:02.899
docker_test-web3signer-1  | 2021-11-10 01:03:59.090+00:00 | pool-2-thread-1 | INFO  | DefaultArtifactSignerProvider | Total signers (keys) currently loaded in memory: 2
...
docker_test-web3signer-1  | 2021-11-10 01:04:00.435+00:00 | main | INFO  | Runner | Web3Signer has started with TLS enabled, and ready to handle signing requests on 0.0.0.0:9000
...

Upcheck test via curl

curl --insecure --cert-type P12 --cert client_keystore.p12:password   https://localhost:9000/upcheck
OK
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment