Hi,
I’m trying to setup tls for the testate node by adding self-signed cert with corresponding private key (in pem format as instructed) environment variables in the config. Still listening on default 20001 port. The
node service starts just fine. I also change the collector service to use https with the domain configured in the set for the host variable. I can also start the collector just fine but in the log I can see the error: Mar 13 10:58:35 provenance-tags-concordium-testnet-node concordium-testnet-node-collector-6.0.4[2693634]: 2024-03-13T10:58:35.005163251Z: ERROR: gRPC failed with “transport error” for http>
I also tried concordium client (from remote) with both domain name and port 20001 but it just hands so I guess it can’t connect.
I’m not sure what the problem is. Doesn’t the node or client support self-signed certificate?
FYI – everything works of course with just normal http.
thanks
Quick update. Adding the --secure flag when running Concordium-client fixed it. So I can connect using Concordium-client. But I still have the error in the collector service (see above).
Can you provide details on how you are configuring the collector service?
For the collector service, I just added below:
Environment=CONCORDIUM_NODE_COLLECTOR_GRPC_HOST=https://<domain_name_that_matches_also_the_one_in_cn_name_in_self_signed_cert>:20001
Also, in running my code that uses the rust sdk to call the node to get get instance info, I get below:
0: Call failed: status: Unknown, message: “transport error”, details: , metadata: MetadataMap { headers: {} }
1: status: Unknown, message: “transport error”, details: , metadata: MetadataMap { headers: {} }
2: transport error
3: http2 error: connection error detected: frame with invalid size
4: connection error detected: frame with invalid size
Code is below (where node_api_address is the one with https), anything special I need to do to call an https (e.g., example ignore cert client check or something)?
Blockquote
let node_endpoint = Endpoint::from_str(node_api_address.as_str())?;
let mut client = Client::new(node_endpoint).await?;
let consensus_info = client.get_consensus_info().await?;
let instance_info = client.get_instance_info(*contract_address, &consensus_info.last_finalized_block).await?;
For the rust SDK you need to explicitly enable TLS support and which trust roots you want
let endpoint = Endpoint::from_str(node_api_address.as_str())?;
let endpoint = if endpoint
.uri()
.scheme()
.map_or(false, |x| x == &v2::Scheme::HTTPS)
{
endpoint
.tls_config(ClientTlsConfig::new())
.context("Unable to construct TLS configuration for Concordium API.")?
} else {
endpoint
};
And one way to select which trust roots you enable is to select all the ones available on the host
tonic = { version = "0.10", features = [
"tls",
"tls-roots", # Use system trust roots.
] }
in your Cargo.toml.
Hi @abizjak,
will this code work for self-signed cert? I will try. Do you have any idea about the collector error above?
I don’t think that code will work with self-signed certificates, no.
I have not tried it, but based on other reported tonic behaviour When using a self-signed certificate to build channel,an error occurred. · Issue #459 · hyperium/tonic · GitHub it seems that it won’t work.
Do you need to use self-signed certificates? There are probably workarounds if you do.