Endorser Client Status Code: (2) CONNECTION_FAILED

[lisablack1]

Go version : go1.19 linux/amd64 fabric-sdk-go version : v1.0.0

creating the channel client using identity and MSP client

err = MSPClient.Enroll("username", msp.WithSecret("pwd"))
if err != nil {
    fmt.Println(err)
}

identity, err := MSPClient.GetSigningIdentity("sample_admin")
if err != nil {
    fmt.Println(err)
    return 
}

channelClientProvider := sdk.ChannelContext(channelID, fabsdk.WithIdentity(identity))

channelClient, err = channel.New(channelClientProvider)
if err != nil {
    fmt.Println(err) <------ getting error while connecting to peer
}

peer info in yaml file

peers:

peer0.example.com:
  grpcOptions:
    hostnameOverride: peer0.example.com
    ssl-target-name-override: peer0.example.com
  tlsCACerts:
    pem: //giving pem file path
  url: grpcs://peer0.example.com:443

added the peer0.example.com in /etc/hosts with ip

we are able to connect to peer using telnet

After running getting error

event service creation failed: could not get chConfig cache reference: QueryBlockConfig failed: QueryBlockConfig failed: queryChaincode failed: Transaction processing for endorser [peer0.example.com:443]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [peer0.example.com:443]: connection is in TRANSIENT_FAILURE

[MisiakGeo]

I have exactly the same problem. If Peers have mutual TLS enabled, then somehow either in the connection.json file or by using custom Go code (from the fabric-sdk-go pkg), the client TLS certificates that are needed for the authentication against the Peers must be passed along. I am trying to do the second because I cannot find any examples of which fields must be added in the connection.json in order to be able to load the peer's client certificates.

[lucribas]

same error here with the last two versions of fabric docker image:

• tag 2.4 of hyperledger/fabric-tools, hyperledger/fabric-peer and hyperledger/fabric-orderer
• tag 2.3 of hyperledger/fabric-tools, hyperledger/fabric-peer and hyperledger/fabric-orderer

Error on fabric-sdk-go pkg

Failed to get network: Failed to create new channel client: event service creation failed: could not get chConfig cache reference: QueryBlockConfig failed: QueryBlockConfig failed: queryChaincode failed: Transaction processing for endorser [peer0.org1.example.com:7051]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [peer0.org1.example.com:7051]: connection is in TRANSIENT_FAILURE

Error on peer:

2022-10-12 01:03:25.267 UTC 1b3f ERRO [core.comm] ServerHandshake -> Server TLS handshake failed in 1.53156ms with error remote error: tls: bad certificate server=PeerServer remoteaddress=192.168.208.8:58410
2022-10-12 01:03:25.267 UTC [grpc] WarningDepth -> DEBU 022 [core]grpc: Server.Serve failed to complete security handshake from "192.168.208.8:58410": remote error: tls: bad certificate

[MisiakGeo]

This is not an error related to fabric per se. It is an connection error and it is related purely with fabric sdk go.

Peer expects a client certificate to be sent with the connection in order for peer to be able to verify that the client certificate is valid and has matched common names. Fabric sdk go unfortunately is a low level SDK. Meaning that we must provide a way to load client certificates during gRPC call.

I saw that the fabric-gateway (high level SDK) package allows you to create gRPC connection with peer and you can pass certificates directly during gRPC call. There is an example for that (but be careful, if you have an intermediate CA, you must change the AddCert() function with AppendCertsFromPEM(), because the first function add only one certificate to the certpool each time, but the second function adds the whole chain of trust) that is uploaded in the fabric-samples repository. The problem here is that is you used fabric sdk go to create a solution, you need to refactor everything.

Finally, I hope that a much more simpler way can be found, in order to be able to supply client certificates during the gRPC call using fabric sdk go, and to avoid all the refactoring with the fabric-gateway.