Skip to main content
Security-related failures typically block your validator from starting or from authenticating to the synchronizer and its APIs. The errors are often cryptic, but they fall into a few well-defined categories.

Certificate Problems

Certificate Expiry

TLS certificates used by your validator (for its Ledger API, admin API, or ingress) expire on a fixed date. When they expire, connections fail immediately. Symptom:
Check expiry dates:
Resolution: Renew the certificate through your CA or certificate manager (Let’s Encrypt, AWS ACM, etc.). After replacing the certificate file, restart the service that uses it. For Kubernetes ingress controllers, the restart is often automatic once the Secret is updated.

Certificate Renewal in Kubernetes

If you use cert-manager, check whether the Certificate resource shows a renewal failure:
Look for events like The certificate request has failed or Order is in state errored. Common causes: DNS challenge failed (check DNS propagation), HTTP challenge failed (check ingress routing), or the issuer’s credentials have expired.

Incomplete CA Chain

If clients can connect to your validator from some locations but not others, the server may be presenting an incomplete certificate chain. Verify:
If you see verify return:0, the chain is broken. Concatenate the intermediate CA certificates into your server certificate file, in order from leaf to root.

JWT Validation Failures

JWT tokens authenticate API clients (your application, wallet UI, or automation scripts) to the validator’s Ledger API.

Clock Skew

Even a sub-second difference between the token issuer’s clock and the validator’s clock can cause expiry failures if the token lifetime is short. Fixes:
  • Increase the access token lifetime in your OIDC provider to at least 15 minutes.
  • Ensure NTP is running and synchronized on the validator host:

Wrong Audience Claim

The aud claim in the JWT must match the LEDGER_API_AUTH_AUDIENCE configured on the validator. Check your OIDC provider’s application settings and align the audience with your validator config.

Expired Tokens

If API calls fail intermittently with UNAUTHENTICATED, your token refresh logic may not be working correctly. Verify:
  • The token refresh interval is shorter than the token lifetime.
  • The OIDC provider’s token endpoint is reachable from the application making the calls.
  • The refresh token itself has not expired (refresh tokens often have a longer but still finite lifetime).

JWKS Endpoint Unreachable

If the validator cannot reach the JWKS (JSON Web Key Set) endpoint to validate token signatures:
Check network connectivity from the validator to the OIDC provider. In Kubernetes, DNS resolution issues or egress restrictions can block this.

Key Management

KMS Connectivity

If your validator uses a cloud KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault) for signing keys, connectivity failures prevent transaction signing. Symptom:
Checks:
  • Verify the KMS endpoint is reachable from the validator pod.
  • Confirm the IAM role or service account has kms:Sign, kms:GetPublicKey, and kms:Decrypt permissions.
  • If using IRSA (IAM Roles for Service Accounts) in EKS, verify the service account annotation and OIDC provider trust.

Permission Errors

The IAM policy attached to the validator’s role must include the specific KMS key ARN. A wildcard (*) in the resource field works for testing but should be scoped to the exact key in production.

Key Rotation

Canton generates cryptographic keys during node initialization. If you need to rotate keys (e.g., after a suspected compromise), use the Canton Console:
Key rotation requires careful coordination. Always test in a non-production environment first.

Troubleshoot TLS

TLS can be configured using the parameters described here. If you are having trouble setting up SSL/TLS, you can enable SSL debugging, increase netty logging, or generate test keys and certificates to validate your configuration.

Enable debug logging for ssl

You can enable SSL debugging by adding the following flag to the command line when starting Canton:
This will print verbose SSL-related information to the console, including details of the handshake process. It is recommended to use this flag only when troubleshooting, as the output can be very verbose and may impact performance of your application.

Enable debug logging for netty

The error messages on TLS issues provided by the networking library netty are less than optimal. If you are struggling with setting up TLS, please enable DEBUG logging on the io.netty logger. This can typically be done by adding the following line to your logback logging configuration:

Generate test keys and certificates

If you need to generate test TLS certificates to test your configuration, you can use the following OpenSSL script:
If you’d prefer to manually generate your own set of keys and certificates, the commands used in this process are documented here: