Search code examples

Node SDK v2 Gateway cannot connect to peer

I've got a running testnet with mutualTLS in a Kubernetes cluster. The setup works as I can flawlessly use the CLI to invoke and query chaincode.

In Node, however, I can enroll the identity but I'm not able to do a gateway.connect(...) successfully. The error messages from client and peer are telling me quite nothing.

The script

'use strict';

const FabricCAServices = require('fabric-ca-client');
const { Wallets, Gateway } = require('fabric-network');
const fs = require('fs');
const path = require('path');

const ccp = require('../gateway/connection.json');
const caConfig = require('../gateway/ca-config.json');

const user = 'benchmark';
const userpw = 'benchmarkPW';
const mspID = 'Org1MSP';

async function createWallet() {
  try {
    const walletPath = path.join(process.cwd(), 'identity/wallet');
    const wallet = await Wallets.newFileSystemWallet(walletPath);
    return wallet;
  } catch (error) {
    console.error(`Error: ${error}`);

async function enrollUser(wallet) {
  try {
    const caInfo = ccp.certificateAuthorities[caConfig.url];
    const caTLSCACerts = caInfo.tlsCACerts.pem;
    let ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);

    // Check to see if we've already enrolled the user.
    const userExists = await wallet.get(user);
    if (userExists) {
      console.log(`An identity for the client user "${user}" already exists in the wallet`);
    } else {
      // Enroll signing material
      let enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw });
      let x509Identity = {
        credentials: {
          certificate: enrollment.certificate,
          privateKey: enrollment.key.toBytes(),
        mspId: mspID,
        type: 'X.509',
      await wallet.put(user, x509Identity);
      console.log(`Successfully enrolled msp for user "${user}" and imported it into the wallet`);

      ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, `TLS${caInfo.caName}`);
      enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw, profile: 'tls' });
      x509Identity = {
        credentials: {
          certificate: enrollment.certificate,
          privateKey: enrollment.key.toBytes(),
        mspId: mspID,
        type: 'X.509',
      await wallet.put(`${user}-tls`, x509Identity);
      console.log(`Successfully enrolled tls-msp for user "${user}" and imported it into the wallet`);
  } catch (error) {
    console.error(`Error enrolling user "${user}": ${error}`);

async function startBenchmark(wallet) {
  try {
    const gateway = new Gateway();

    const connectionOptions = {
      identity: user,
      clientTlsIdentity: `${user}-tls`,
      wallet: wallet,
      discovery: { enabled: true, asLocalhost: false },

    await gateway.connect(ccp, connectionOptions);

  } catch (error) {
    console.error(`Got error:": ${error}`);

async function main() {
  try {
    const wallet = await createWallet();
    await enrollUser(wallet);
    await startBenchmark(wallet);
  } catch (error) {
    console.error(`Error: ${error}`);



    "name": "Org1MSPprofile",
    "description": "Network on OpenShift/K8s",
    "version": "1.0.0",
    "client": {
        "organization": "Org1MSP"
    "organizations": {
        "Org1MSP": {
            "mspid": "Org1MSP",
            "certificateAuthorities": [
            "peers": [
    "peers": {
        "": {
            "url": "grpcs://",
            "tlsCACerts": {
                "pem": "-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
            "grpcOptions": {
                "ssl-target-name-override": ""
    "certificateAuthorities": {
        "": {
            "url": "",
            "caName": "CA",
            "tlsCACerts": {
                "pem": [
                    "-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
            "httpOptions": {
                "verify": false

Console output

> node ./src/index.js

2020-08-06T15:00:26.046Z - debug: Successfully constructed a winston logger with configurations debug=console, info=console
2020-08-06T15:00:26.276Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.552Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.555Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'CA',
  protocol: 'https',
  hostname: '',
  port: 30051,
   { trustedRoots:
      [ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
     verify: false } }
2020-08-06T15:00:26.555Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"","port":30051}
2020-08-06T15:00:26.682Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:26.687Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:26.785Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:26.786Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.103Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.109Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:27.110Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'TLSCA',
  protocol: 'https',
  hostname: '',
  port: 30051,
   { trustedRoots:
      [ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
     verify: false } }
2020-08-06T15:00:27.110Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"","port":30051}
2020-08-06T15:00:27.174Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:27.175Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:27.255Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:27.255Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.489Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled tls-msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.492Z - debug: [Gateway]: in Gateway constructor
2020-08-06T15:00:27.495Z - debug: [Gateway]: connect - start
2020-08-06T15:00:27.495Z - debug: [Gateway]: connection options: {"identity":"benchmark","tlsInfo":{"certificate":"-----BEGIN CERTIFICATE-----\nxxxx/o=\n-----END CERTIFICATE-----\n","key":"-----BEGIN PRIVATE KEY-----\r\nxxxx\r\n-----END PRIVATE KEY-----\r\n"},"wallet":{"providerRegistry":{"providers":{}},"store":{"storePath":"/home/user/test/benchmark/identity/wallet"}},"discovery":{"enabled":true,"asLocalhost":false}}
2020-08-06T15:00:27.496Z - debug: [Client]: Client.constructor[gateway client] - start
2020-08-06T15:00:27.496Z - debug: [Gateway]: connect - setting identity from wallet
2020-08-06T15:00:27.498Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.502Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - setting tlsInfo
2020-08-06T15:00:27.503Z - debug: [Client]: setTlsClientCertAndKey: gateway client - start
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - NetworkConfig loading client from ccp
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: loadFromConfig - start
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: buildPeer - start -
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - start for
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - checking peer in org Org1MSP
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - found mspid Org1MSP for
2020-08-06T15:00:27.505Z - debug: [NetworkConfig]: buildOptions - start
2020-08-06T15:00:27.505Z - debug: [Client]: newEndpoint: gateway client - start
2020-08-06T15:00:27.505Z - debug: [Client]: getConnectionOptions: gateway client - start
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client grpc-wait-for-ready-timeout set to 3000
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client - ssl_target_name_override:
2020-08-06T15:00:27.507Z - debug: [Endpoint]: Endpoint.constructor - start
2020-08-06T15:00:27.508Z - debug: [Client]: new endpoint url: grpcs://
2020-08-06T15:00:27.508Z - debug: [NetworkConfig]: buildPeer - about to connect to endorser url:grpcs:// mspid:Org1MSP
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client start
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client create endorser
2020-08-06T15:00:27.509Z - debug: [Endorser]: Endorser.constructor[] - start
2020-08-06T15:00:27.509Z - debug: [Client]: getEndorser: gateway client return endorser
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[] - start
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[] - create the grpc service for
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - start - grpcs://
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - promise running - grpcs://
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name:, url:grpcs://, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name:, url:grpcs://, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server url:grpcs:// timeout:3000
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server url:grpcs:// timeout:3000
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser due to Error: Failed to connect before the deadline on Endorser- name:, url:grpcs://, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser due to Error: Failed to connect before the deadline on Endorser- name:, url:grpcs://, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - debug: [NetworkConfig]: loadFromConfig - end
2020-08-06T15:00:30.514Z - debug: [Gateway]: connect - end
2020-08-06T15:00:30.515Z - debug: [Gateway]: in disconnect

Peer log

[36m2020-08-06 15:09:29.718 UTC [grpc] Warning -> DEBU bba5[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:30.904 UTC [grpc] Warning -> DEBU bba6[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:32.344 UTC [gossip.discovery] periodicalSendAlive -> DEBU bbaf[0m Sleeping 5s
[36m2020-08-06 15:09:32.743 UTC [grpc] Warning -> DEBU bbb0[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"

So something reaches the peer. I've got just no clue why the connection can't be established.


  • Provided tlscacert of org1 in connection.json? check
  • Enrolled TLS identity for the client? check
  • Provided the TLS identity to the gateway? check
  • Tried httpOptions.verify = false in connection.json for the peer? check
  • Tried both, user and ${user}-tls as gateway identity? check

Any ideas?

Peer: 2.1
Node - fabric-ca-client: "^2.2.0"
Node - fabric-network: "^2.2.0"

Kind regards


  • The problem was at my peers TLS certificate. With export GRPC_VERBOSITY=DEBUG and export GRPC_TRACE=all I got the following from my client:

    2020-08-10T16:13:52.283Z | subchannel | x.x.x.x:30151 connection closed with error Hostname/IP does not match certificate's altnames: Host: is not in the cert's altnames: DNS:org1-peer1