# MetaMask "Could not fetch chain ID" Error Fix

**Error**: "Could not fetch chain ID. Is your RPC URL correct?"

**Date**: 2025-01-27  
**Network**: ChainID 138 (DeFi Oracle Meta Mainnet)

---

## 🔴 Problem

When trying to add or connect to ChainID 138 in MetaMask, you see the error:
> "Could not fetch chain ID. Is your RPC URL correct?"

This error occurs when MetaMask cannot communicate with the RPC endpoint.

---

## 🔍 Root Cause

The most common cause is that the RPC endpoint is requiring **JWT authentication**, which MetaMask does not support. MetaMask can only connect to public RPC endpoints that don't require authentication.

**Expected Behavior**:
- Public RPC endpoint (`https://rpc-http-pub.d-bis.org`) should accept requests WITHOUT authentication
- MetaMask should be able to call `eth_chainId` without any special headers

**Current Issue**:
- The endpoint is returning: `"Unauthorized. Missing or invalid JWT token"`
- This indicates the server is incorrectly configured with JWT authentication

---

## ✅ Solution: Fix MetaMask Network Configuration

### Step 1: Remove Existing Network

1. Open MetaMask
2. Click the network dropdown (top center)
3. Click "Settings" (gear icon) or go to Settings → Networks
4. Find "Defi Oracle Meta Mainnet" or "SMOM-DBIS-138"
5. Click "Delete" or "Remove" to remove the network

### Step 2: Add Network with Correct RPC URL

1. Click "Add Network" → "Add a network manually"
2. Enter these **exact** values:

   ```
   Network Name: Defi Oracle Meta Mainnet
   RPC URL: https://rpc-http-pub.d-bis.org
   Chain ID: 138
   Currency Symbol: ETH
   Block Explorer URL: https://explorer.d-bis.org (optional)
   ```

3. Click "Save"

**Critical Notes**:
- RPC URL **must** be `https://rpc-http-pub.d-bis.org` (the public endpoint)
- Chain ID **must** be `138` (decimal, NOT hex `0x8a`)
- Do NOT use `https://rpc-core.d-bis.org` (deprecated/internal)
- Do NOT use `https://rpc-http-prv.d-bis.org` (requires JWT auth)

### Step 3: Verify Connection

1. Switch to the network you just added
2. Check if your balance loads (should show ETH balance if you have any)
3. If you still get an error, proceed to the server-side fix below

---

## 🔧 Server-Side Fix (For Network Administrators)

If the error persists after updating MetaMask, the server configuration needs to be fixed.

### Architecture

The actual routing path is:
```
Internet → Cloudflare DNS/SSL → Cloudflared Tunnel → Nginx (VMID 2500) → Besu RPC (192.168.11.250:8545)
```

**Endpoints**:
- `https://rpc-http-pub.d-bis.org` → Routes to `http://192.168.11.250:8545`
- `wss://rpc-ws-pub.d-bis.org` → Routes to `ws://192.168.11.250:8546`

### Issue

The Nginx configuration on **VMID 2500** (`192.168.11.250`) is incorrectly configured with JWT authentication for the public endpoint. It should serve `rpc-http-pub.d-bis.org` **WITHOUT** authentication.

### Fix Steps

1. **Verify Nginx Configuration on VMID 2500**:
   ```bash
   ssh root@192.168.11.10 "pct exec 2500 -- cat /etc/nginx/sites-available/*"
   ssh root@192.168.11.10 "pct exec 2500 -- nginx -T | grep -A 20 'rpc-http-pub'"
   ```

2. **Check for JWT Authentication**:
   - Look for `auth_request` directives
   - Look for Lua JWT validation scripts
   - Check if `rpc-http-pub.d-bis.org` is configured with JWT

3. **Remove JWT Authentication from Public Endpoint**:
   - The Nginx config for `rpc-http-pub.d-bis.org` should NOT include JWT validation
   - Remove any `auth_request` directives for the public endpoint
   - Remove any Lua JWT validation scripts for the public endpoint

4. **Correct Nginx Configuration Should Look Like**:
   ```nginx
   # Public endpoint - NO authentication
   server {
       listen 443 ssl;
       listen [::]:443 ssl;
       server_name rpc-http-pub.d-bis.org;
       
       # SSL configuration...
       
       location / {
           proxy_pass http://127.0.0.1:8545;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           # NO JWT authentication here!
       }
   }
   
   # Public WebSocket endpoint - NO authentication
   server {
       listen 443 ssl;
       listen [::]:443 ssl;
       server_name rpc-ws-pub.d-bis.org;
       
       # SSL configuration...
       
       location / {
           proxy_pass http://127.0.0.1:8546;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           # NO JWT authentication here!
       }
   }
   ```

5. **Test the Endpoint**:
   ```bash
   curl -X POST https://rpc-http-pub.d-bis.org \
     -H "Content-Type: application/json" \
     -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
   ```
   
   **Expected Response**:
   ```json
   {"jsonrpc":"2.0","id":1,"result":"0x8a"}
   ```
   
   **If you get JWT error**: JWT authentication is still enabled (wrong!)

6. **Restart Nginx**:
   ```bash
   ssh root@192.168.11.10 "pct exec 2500 -- nginx -t"
   ssh root@192.168.11.10 "pct exec 2500 -- systemctl restart nginx"
   ```

7. **Verify Cloudflared Tunnel Routing**:
   - Check that Cloudflared tunnel is routing `rpc-http-pub.d-bis.org` to Nginx on VMID 2500
   - Verify tunnel configuration matches the actual routing path

### Verify Configuration

| Endpoint | Should Require Auth? | Status |
|----------|---------------------|--------|
| `https://rpc-http-pub.d-bis.org` | ❌ NO | Should work without JWT |
| `https://rpc-http-prv.d-bis.org` | ✅ YES | Requires JWT (correct) |

---

## 📋 Troubleshooting Checklist

If the error persists, check:

- [ ] RPC URL is exactly `https://rpc-http-pub.d-bis.org` (no typos)
- [ ] Chain ID is `138` (decimal, not `0x8a` or hex)
- [ ] Network was removed and re-added after changing RPC URL
- [ ] Browser cache cleared and MetaMask reloaded
- [ ] Server endpoint responds to `eth_chainId` without JWT token
- [ ] Nginx on VMID 2500 is configured without JWT for public endpoint
- [ ] Cloudflared tunnel is routing `rpc-http-pub.d-bis.org` correctly
- [ ] Request path: Cloudflare → Cloudflared → Nginx (VMID 2500) → Besu RPC (192.168.11.250:8545)

---

## 🔗 Related Documentation

- [MetaMask Quick Start Guide](/docs/01-getting-started/METAMASK_QUICK_START_GUIDE.md)
- [MetaMask Troubleshooting Guide](/docs/09-troubleshooting/METAMASK_TROUBLESHOOTING_GUIDE.md)
- [RPC DNS Configuration](/docs/04-configuration/RPC_DNS_CONFIGURATION.md)
- [RPC JWT Authentication](/docs/04-configuration/RPC_JWT_AUTHENTICATION.md)

---

## 📞 Getting Help

If you continue to experience issues:

1. **Test the RPC endpoint** using the curl command above
2. **Check MetaMask console** for detailed error messages
3. **Verify network settings** in MetaMask match the values above
4. **Contact network administrators** if the server needs reconfiguration

---

**Last Updated**: 2025-01-27  
**Status**: Active issue - requires server configuration fix