Node grpc v2 with tls


I’m trying to setup tls for the testate node by adding self-signed cert with corresponding private key (in pem format as instructed) environment variables in the config. Still listening on default 20001 port. The
node service starts just fine. I also change the collector service to use https with the domain configured in the set for the host variable. I can also start the collector just fine but in the log I can see the error: Mar 13 10:58:35 provenance-tags-concordium-testnet-node concordium-testnet-node-collector-6.0.4[2693634]: 2024-03-13T10:58:35.005163251Z: ERROR: gRPC failed with “transport error” for http>

I also tried concordium client (from remote) with both domain name and port 20001 but it just hands so I guess it can’t connect.

I’m not sure what the problem is. Doesn’t the node or client support self-signed certificate?

FYI – everything works of course with just normal http.


Quick update. Adding the --secure flag when running Concordium-client fixed it. So I can connect using Concordium-client. But I still have the error in the collector service (see above).

Can you provide details on how you are configuring the collector service?

For the collector service, I just added below:


Also, in running my code that uses the rust sdk to call the node to get get instance info, I get below:

0: Call failed: status: Unknown, message: “transport error”, details: , metadata: MetadataMap { headers: {} }
1: status: Unknown, message: “transport error”, details: , metadata: MetadataMap { headers: {} }
2: transport error
3: http2 error: connection error detected: frame with invalid size
4: connection error detected: frame with invalid size

Code is below (where node_api_address is the one with https), anything special I need to do to call an https (e.g., example ignore cert client check or something)?

let node_endpoint = Endpoint::from_str(node_api_address.as_str())?;
let mut client = Client::new(node_endpoint).await?;

let consensus_info = client.get_consensus_info().await?;

let instance_info = client.get_instance_info(*contract_address, &consensus_info.last_finalized_block).await?;

For the rust SDK you need to explicitly enable TLS support and which trust roots you want

    let endpoint = Endpoint::from_str(node_api_address.as_str())?;
    let endpoint = if endpoint
        .map_or(false, |x| x == &v2::Scheme::HTTPS)
            .context("Unable to construct TLS configuration for Concordium API.")?
    } else {

And one way to select which trust roots you enable is to select all the ones available on the host

tonic = { version = "0.10", features = [
  "tls-roots", # Use system trust roots.
] }

in your Cargo.toml.

Hi @abizjak,
will this code work for self-signed cert? I will try. Do you have any idea about the collector error above?

I don’t think that code will work with self-signed certificates, no.

I have not tried it, but based on other reported tonic behaviour When using a self-signed certificate to build channel,an error occurred. · Issue #459 · hyperium/tonic · GitHub it seems that it won’t work.

Do you need to use self-signed certificates? There are probably workarounds if you do.