Troubleshooting and best practices
Common issues
"No validators found in keystore"
Symptoms: Node fails to start with no sequencer configurations loaded
Causes:
- Keystore file not found at specified path
- Invalid JSON syntax
- Missing required fields
- File permissions prevent reading
Solutions:
- Verify keystore path:
ls -la $KEY_STORE_DIRECTORY
- Validate JSON syntax:
cat keystore.json | jq .
- Check required fields:
{
"schemaVersion": 1,
"validators": [
{
"attester": "REQUIRED",
"feeRecipient": "REQUIRED"
}
]
}
- Fix file permissions:
chmod 600 keystore.json
chown aztec:aztec keystore.json
"Failed to connect to remote signer"
Symptoms: Node cannot reach Web3Signer endpoint
Causes:
- Incorrect URL or port
- Network connectivity issues
- Certificate validation failures
- Remote signer not running
Solutions:
- Test connectivity:
curl https://signer.example.com:8080/upcheck
- Verify certificate:
openssl s_client -connect signer.example.com:8080 -showcerts
-
Check remote signer logs for authentication errors
-
For self-signed certificates, ensure proper certificate configuration in keystore
"Insufficient funds for gas"
Symptoms: Transactions fail with insufficient balance errors
Causes:
- Publisher accounts not funded
- ETH balance depleted
Solutions:
- Check publisher balances:
cast balance 0xPUBLISHER_ADDRESS --rpc-url $ETHEREUM_HOST
-
Fund publisher accounts with ETH
-
Set up automated balance monitoring and alerts
"Nonce too low" or "Replacement transaction underpriced"
Symptoms: Transaction submission failures related to nonces
Causes:
- Multiple nodes using same publisher key
- Publisher key reused across keystores
- Transaction pool issues
Solutions:
-
Never share publisher keys across multiple running nodes
-
If you must use the same key, ensure only one node is active at a time
-
Clear pending transactions if safe to do so
"Keystore file not loaded"
Symptoms: Only some keystores load from a directory
Causes:
- Invalid JSON in some files
- Incorrect file extensions
- Schema version mismatch
Solutions:
- Check all files in directory:
for file in /path/to/keystores/*.json; do
echo "Checking $file"
jq . "$file" || echo "Invalid JSON in $file"
done
-
Ensure all files use
.json
extension -
Verify
schemaVersion: 1
in all keystores
"Cannot decrypt JSON V3 keystore"
Symptoms: Failed to load encrypted keystore files
Causes:
- Incorrect password
- Corrupted keystore file
- Unsupported encryption algorithm
Solutions:
-
Verify password is correct
-
Test decryption manually:
# Using ethereumjs-wallet or similar tool
-
Re-generate keystore if corrupted
-
Ensure keystore was generated using standard tools (geth, web3.py, ethers.js)
Security best practices
Key storage
DO:
- Use remote signers (Web3Signer) for production deployments
- Store keystores in encrypted volumes
- Use JSON V3 keystores with strong passwords
- Restrict file permissions to 600 (owner read/write only)
- Keep backups of keystores in secure, encrypted locations
DON'T:
- Commit keystores or private keys to version control
- Store unencrypted private keys on disk
- Share private keys between nodes
- Use the same keys across test and production environments
- Log private keys or keystore passwords
Publisher key management
DO:
- Use separate publisher keys for each sequencer if possible
- Monitor publisher account balances with alerting
- Rotate publisher keys periodically
- Maintain multiple funded publishers for resilience
- Keep publisher keys separate from attester keys
DON'T:
- Reuse publisher keys across multiple nodes
- Run out of gas in publisher accounts
- Use sequencer attester keys as publishers if avoidable
- Share publisher keys between sequencers
Remote signer security
DO:
- Use TLS/HTTPS for all remote signer connections
- Implement client certificate authentication
- Run remote signers on isolated networks
- Monitor remote signer access logs
- Use firewall rules to restrict access
DON'T:
- Use unencrypted HTTP connections
- Expose remote signers to the public internet
- Share remote signer endpoints between untrusted parties
- Disable certificate verification
Operational security
DO:
- Implement principle of least privilege for file access
- Use hardware security modules (HSMs) for high-value sequencers
- Maintain audit logs of key access and usage
- Test keystore configurations in non-production environments first
- Document your key management procedures
DON'T:
- Run nodes as root user
- Store passwords in shell history or scripts
- Share attester keys between sequencers
- Neglect monitoring and alerting
Getting help
If you encounter issues not covered here:
- Check the Aztec Discord
#operator-faq
channel - Review node logs for specific error messages
- Ask in Discord with:
- Error messages (redact private keys!)
- Keystore structure (anonymized)
- Node version and deployment environment
Next steps
- Return to Advanced Configuration Patterns
- See Key Storage Methods for more options
- Check Sequencer Management for operational guidance