Develop Reference

TLS certificate renewal deadlock among RAFT orderers after expiry

TLS and MSP certificates of Orderers and Peers in my network were expired. So, I renewed them and change TLS, MSP folder to new one. After restart all my Orderers and Peers, Orderers keep SERVICE_UNAVAILABLE: rejected by Consenter: channel identitych is not serviced by me error from all orderers. Querying the chaincode to each peer works well, so it seems like an orderer's problem.
When my orderer started, the orderer logged a warning like below:
[orderer.consensus.etcdraft] detectSelfID -> WARN 015 Could not find -----BEGIN CERTIFICATE-----
MIIC8DCCApagAwIBAgIUOhF5HhLQW...
-----END CERTIFICATE-----
among [-----BEGIN CERTIFICATE-----
MIIC5TCCAougAwIBAgIUApCtD3xfo9JLFyPd...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC5DCCAougAwIBAgIUQ/ztvrcb3Z6LB8...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC5DCCAougAwIBAgIUSCeIphcSIWrs...
-----END CERTIFICATE-----
]
The location of this warning and channel ... is not serviced by me error are same, so I guess these are same problem.
The problem looks like that my new TLS signed certificate is not recognized from blocks' meta information.
Thanks for some comments from the community, I found below link and it seems very close to my problem.
https://jira.hyperledger.org/browse/FAB-16953
However, even I set TLSHandshakeTimeShift to 20s and restart orderers one by one, still the problem occurs. My environment setting is like below:
docker container run -d --name $NODE \
--log-driver json-file --log-opt max-size=1g --log-opt max-file=1 \
-e FABRIC_LOGGING_SPEC=INFO \
-e ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 \
-e ORDERER_GENERAL_GENESISMETHOD=file \
-e ORDERER_GENERAL_GENESISFILE=/artifacts/genesis.block \
-e ORDERER_GENERAL_LOCALMSPID=$MSP \
-e ORDERER_GENERAL_LOCALMSPDIR=/artifacts/msp \
-e ORDERER_GENERAL_TLS_ENABLED=true \
-e ORDERER_GENERAL_TLS_PRIVATEKEY=/artifacts/tls/keystore/key.pem \
-e ORDERER_GENERAL_TLS_CERTIFICATE=/artifacts/tls/signcerts/cert.pem \
-e "ORDERER_GENERAL_TLS_ROOTCAS=[/artifacts/tls/tlscacerts/ca-cert.pem]" \
-e ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1 \
-e ORDERER_KAFKA_VERBOSE=true \
-e ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/artifacts/tls/keystore/key.pem \
-e ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/artifacts/tls/signcerts/cert.pem \
-e "ORDERER_GENERAL_CLUSTER_ROOTCAS=[/artifacts/tls/tlscacerts/ca-cert.pem]" \
-e ORDERER_OPERATIONS_LISTENADDRESS=$NODE:8443 \
-e ORDERER_GENERAL_CLUSTER_TLSHANDSHAKETIMESHIFT=48h \
-w="/opt/gopath/src/github.com/hyperledger/fabric" \
-v "$(pwd)"/artifacts:/artifacts \
-v "$(pwd)"/blocks:/var/hyperledger/production/orderer/ \
--network $NETWORK \
hyperledger/fabric-orderer:$VERSION orderer
Did I do some wrong to set TLSHANDSHAKETIMESHIFT value? Still I could not find any solution for my problem. Any kind of helps are welcome. Thanks!

Azure IoT hub and sending messages with mosquitto_pub

I'm trying to send some simple message with mosquitto_pub to Azure IoT HUB but faced some problems with authorization. I'm using following script:
mosquitto_pub \
-h xxxdev.azure-devices.net \
-u "xxxdev.azure-devices.net/xxxdev/?api-version=2018-06-30" \
-P "SharedAccessSignature sr=xxx.azure-
devices.net%2Fdevices%2Fxxxdev&sig=YYYYY&se=1570866689&skn=ZZZZZZZ" \
-t "devices/xxxdev/messages/events/" \
--cafile ca.pem \
-p 8883 \
-i xxxdev \
-V mqttv311 \
-d \
-m 'message'
and after run this script I get following messages:
Client xxxdev sending CONNECT
Client xxxdev received CONNACK (5)
Connection error: Connection Refused: not authorised.
Client xxxdev sending DISCONNECT
My questions are: What exactly does those messages mean? Is it because some parameter like password (given with -P param) is wrong?
I've generated SAS token with bash script: https://learn.microsoft.com/en-us/rest/api/eventhub/generate-sas-token
Assuming that this bash script generates properly the password - what else could be the problem here? How to fix the problem?

Hyperledger Fabric: Registration of 'orderer1-ord' failed in affiliation validation: Failed getting affiliation 'ord.OU': :

we have customized the fabric-ca sample to remove below line in env.sh
export FABRIC_CA_CLIENT_ID_AFFILIATION=org1
and add --id.affiliation $ORG.OU in all calls to fabric-ca-client register or enroll. Example:
scripts/env.sh: fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $HOST_NAME --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/env.sh: fabric-ca-client enroll -d -u https://$ADMIN_NAME:$ADMIN_PASS#$CA_HOST:7054 --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/env.sh: fabric-ca-client enroll -d -u https://$USER_NAME:$USER_PASS#$CA_HOST:7054 --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "admin=true:ecert" --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $PEER_NAME --id.secret $PEER_PASS --id.type peer --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert" --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $USER_NAME --id.secret $USER_PASS --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client getcacert -d -u https://$CA_HOST:7054 -M $ORG_MSP_DIR --id.affiliation $ORG.OU
scripts/start-orderer.sh:fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $ORDERER_HOST --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/start-orderer.sh:fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $ORDERER_GENERAL_LOCALMSPDIR --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/start-peer.sh:fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $PEER_HOST --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/start-peer.sh:fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $CORE_PEER_MSPCONFIGPATH --csr.names O=$ORG --id.affiliation $ORG.OU
when we do this we see this error in setup.log:
Error: Response from server: Error Code: 0 - Registration of 'orderer1-ord' failed in affiliation validation: Failed getting affiliation 'ord.OU': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set
If we modify enrollCAADmin to add:
# https://stackoverflow.com/a/48840929/147530
fabric-ca-client affiliation add $1
we now see this error:
Error: Response from server: Error Code: 60 - Affiliation already exists
How can we fix this?

Adding affiliation of $ORG.OU fails but adding affiliation of $ORG works. In setup-fabric.sh, function registerPeerIdentities
fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" --id.affiliation=$ORG
log "Registering user identity with $CA_NAME"
fabric-ca-client register -d --id.name $USER_NAME --id.secret $USER_PASS --id.affiliation=$ORG
note following section in $FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml of rca-myorg1
root#cad23a1fb013:/etc/hyperledger/fabric-ca# cat fabric-ca-server-config.yaml
affiliations:
ord: []
myorg1: []
myorg2: []
myorg3: []
org1:
- department1
- department2
org2:
- department1
from https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity
The affiliation of the registrar must be equal to or a prefix of the
affiliation of the identity being registered. For example, an
registrar with an affiliation of “a.b” may register an identity with
an affiliation of “a.b.c” but may not register an identity with an
affiliation of “a.c”. If root affiliation is required for an identity,
then the affiliation request should be a dot (”.”) and the registrar
must also have root affiliation. If no affiliation is specified in the
registration request, the identity being registered will be given the
affiliation of the registrar.
so not sure why setting affiliation to $ORG works but $ORG.OU does not

Questions on CA authorization (balance-transfer hyperledger)

I am trying to run the balance-transfer example in the link: https://github.com/hyperledger/fabric-samples/tree/master/balance-transfer#sample-rest-apis-request
I want to ask that why I can still invoke the chaincode and run successfully when the authorization: Bearer is org1 but the invoke is done on Org2(["peer1.org2.example.com")? Why this will not cause authorization error?
In addition, why can I query the chaincode use Org1 certificate on Org2. Are there any setup issues related to the CA?
echo "POST invoke chaincode on peers of Org1"
echo
TRX_ID=$(curl -s -X POST \
http://localhost:4000/channels/mychannel/chaincodes/mycc \
-H "authorization: Bearer $ORG1_TOKEN" \
-H "content-type: application/json" \
-d '{
"peers": ["peer1.org2.example.com"],
"fcn":"move",
"args":["a","b","10"]
}')
echo "Transacton ID is $TRX_ID"
echo
echo
Thank you very much.

This is because the peers in JSON string refers to the endorsing peer. It can be left empty. The authorization is based on the token and the transaction will be completed on org1 peers based on the log.

Where to store public key for ssh on ubuntu?

I have a nodejs application under git control version and a git account for managing this one?
sudo adduser \
--system \
--shell /bin/bash \
--gecos ‘User managing of git version control’ \
--group \
--disabled-password \
--home /home/git \
git
Where should I store authorized_keys file
/home/git/authorized_keys
Or
/home/user/authorized_keys
Where user is normal user on my server

/home/git/.ssh/authorized_keys
check this link: http://git-scm.com/book/ch4-4.html

The directory should be at:
/home/git/.ssh/authorized_keys