QBFT fails seal blocks (err=unauthorized)

[gianmarcotoso]

Hello,

I'm attempting to create a private network orchestrated with docker-compose and nodes spin up correctly, unlocking their account without issue, but QBFT is not working as expected as I'm getting a Block sealing failed err=unauthorized error on each one of them. I've made sure that I have access to the keystore for each node (otherwise it wouldn't unlock) and the extradata is correct (you can see in the log below that the valSet correctly has the node in its set) as suggested in this discussion.

Apparently QBFT is starting with a completely unrelated address: in the example below the unlocked account is 0x37aeD63d9Fea452061940c2686C293F9BCa84E27, but QBFT starts with the 0x44C53cbEbab3c4450d21cf3359c48E70362F42D4 address (maybe this has nothing to do with the error and I'm misunderstanding the meaning of this second address).

The same configuration works correctly with Clique with both the Quorum and the Geth client (with a different extradata, of course).

Here is the output log of one of the nodes' Quorum client (it's the same on all 3 of them, apart from the addresses):

private-blockchain-node2-1     | INFO [10-13|16:45:43.012] Unlocked account                         address=0x37aeD63d9Fea452061940c2686C293F9BCa84E27
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] Transaction pool price threshold not updated as gasPrice is not enabled 
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] Transaction pool price threshold not updated as gasPrice is not enabled 
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] start QBFT 
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] BFT: activate QBFT 
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] QBFT: start                              address=0x44C53cbEbab3c4450d21cf3359c48E70362F42D4
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] QBFT: initialize new round               address=0x44C53cbEbab3c4450d21cf3359c48E70362F42D4 old.round=-1 old.seq=0 target.round=0 lastProposal.number=0 lastProposal.hash=f0abab..1047a5
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] QBFT: start new round                    address=0x44C53cbEbab3c4450d21cf3359c48E70362F42D4 old.round=-1 old.seq=0 next.round=0 next.seq=1 next.proposer=0x37aeD63d9Fea452061940c2686C293F9BCa84E27 next.valSet="[0x37aeD63d9Fea452061940c2686C293F9BCa84E27 0xbAe9F03778B29f0a60bf8892b2cB61193460ba2C 0xf8D5118F33b40664fD07A49bA87717BFDafF3Be0]" next.size=3 next.IsProposer=false
private-blockchain-node2-1     | INFO [10-13|16:45:43.012] Commit new mining work                   number=1 sealhash=71b91d..c3c858 uncles=0 txs=0 gas=0 fees=0 elapsed="104.562µs"
private-blockchain-node2-1     | WARN [10-13|16:45:43.013] Block sealing failed                     err=unauthorized

And here the docker-compose file for the node:

version: '3.7'

services:
    node2:
        hostname: node2
        volumes:
            - ./blockchain/nodes/node2/keystore:/root/.ethereum/keystore
            - ./blockchain/nodes/node2/accountPassword:/root/.ethereum/password.txt
        build: ./blockchain
        depends_on:
            - bootnode
        command: --bootnodes=${BOOTNODE_ADDRESS}
            --unlock "0x37aeD63d9Fea452061940c2686C293F9BCa84E27"
            --password /root/.ethereum/password.txt
            --mine
            --networkid=${NETWORK_ID}
            --netrestrict="172.16.254.0/28"
            --syncmode full
        networks:
            priv-eth-net:

Am I missing some startup parameter or something else?

Thanks!

[baptiste-b-pegasys]

This happens when the node is not part of the list of validators, which is set in the extra data or validators smart contract.

There are two addresses: wallet address (account) for signing sent tx and node address (nodekey) for mining and permissioning.

There is tutorial for making a private network: https://consensys.net/docs/goquorum/en/latest/tutorials/private-network/create-qbft-network/

istanbul.getValidators() (from geth console) will returns the list of declared validators, they should match the values on each nodekey file and in the static and permissioned files, it's the public key nodekey.pub that should be used.

[gianmarcotoso]

Thank you, I was indeed using the wrong addresses, as I was creating the extraData field with the addresses of the accounts instead of the addresses of the validator nodes.