I'm trying to access my peer through the fabric-network nodejs sdk.
However, I encounter an error during the gateway.connect in the sdk and the logs I find in the peer container is not helpful.
All I have, even with the grpc=debug logging mode is :
peer0.catie-test | 2020-09-21 13:27:07.731 UTC [core.comm] ServerHandshake -> ERRO 087 TLS handshake failed with error remote error: tls: handshake failure server=PeerServer remoteaddress=172.17.0.1:49918
peer0.catie-test | 2020-09-21 13:27:07.731 UTC [grpc] handleRawConn -> DEBU 088 grpc: Server.Serve failed to complete security handshake from "172.17.0.1:49918": remote error: tls: handshake failure
Any way to have more helpful logs ? I would like to know, for example, which key are used for the TLS handshake check.
Edit with more infos: Configuration files and TLS verification
My peer is configured with TLS with the env variables :
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/crypto/peer/tls-msp/keystore/key.pem
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/crypto/peer/tls-msp/signcerts/cert.pem
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/crypto/peer/tls-msp/tlscacerts/tlsca.catie-test-cert.pem
I have the correct tlscacert of my peer on the client side, because the output from the peer and from client side are the same:
cat /etc/hyperledger/crypto/peer/tls-msp/tlscacerts/tlsca.catie-test-cert.pem # From the peer, output ZTd/o8LLw== at the end
cat /tmp/fabric-start-catie-test/building/artifacts/peer0.catie-test-crypto/tls-msp/tlscacerts/tlsca.catie-test-cert.pem # From the client, output ZTd/o8LLw== at the end
Path to the peer tlscacert is filled in the client side connection-profile.json :
"peers": {
"peer0.catie-test": {
"tlsCACerts": {
"path": "/tmp/fabric-start-catie-test/building/artifacts/peer0.catie-test-crypto/tls-msp/tlscacerts/tlsca.catie-test-cert.pem"
},
"grpcOptions":{
"ssl-target-name-override": "172.17.0.7",
"grpc.keepalive_time_ms": 10000
},
"url": "grpcs://172.17.0.4:7051",
"eventUrl": "grpcs://172.17.0.4:7053"
}
}
And I also checked that the tlsCAcert is the one that generated my peer cert :
openssl verify -CAfile $CORE_PEER_TLS_ROOTCERT_FILE $CORE_PEER_TLS_CERT_FILE # Output : /etc/hyperledger/crypto/peer/tls-msp/signcerts/cert.pem: OK
Edit 2 : Grpc option, peer name instead of IP and client logs
Also tried adding the grpcOptions to the peer section of the connection-profile.json (see the updated paragraph above) but it didn't change anything.
Also tried to add peer name to my /etc/hosts to reach my peer via its name instead of its IP. It makes a warning disappear but don't solve my problem and I prefer to work with IPs in my scripts.
Here are the logs of the nodejs sdk client in case it helps to diagnose the problem, but it only says that the Endorser must be connected and I think it is, because it reaches my peer as I have this TLS error in my peer's logs.
(node:59350) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
2020-09-23T06:42:20.704Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: peer0.catie-test, url:grpcs://172.17.0.7:7051, connected:false, connectAttempted:true
2020-09-23T06:42:20.705Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server peer0.catie-test url:grpcs://172.17.0.7:7051 timeout:3000
2020-09-23T06:42:20.708Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser peer0.catie-test due to Error: Failed to connect before the deadline on Endorser- name: peer0.catie-test, url:grpcs://172.17.0.7:7051, connected:false, connectAttempted:true
at checkState (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/#grpc/grpc-js/build/src/client.js:69:26)
at Timeout._onTimeout (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/#grpc/grpc-js/build/src/channel.js:292:17)
at listOnTimeout (internal/timers.js:549:17)
at processTimers (internal/timers.js:492:7) {
connectFailed: true
}
(node:59350) UnhandledPromiseRejectionWarning: Error: Endorser must be connected
at Channel.addEndorser (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-common/lib/Channel.js:259:10)
at buildChannel (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-network/lib/impl/ccp/networkconfig.js:50:21)
at Object.loadFromConfig (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-network/lib/impl/ccp/networkconfig.js:34:19)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Gateway.connect (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-network/lib/gateway.js:279:13)
at async queryChaincode (/home/rqueraud/CATIE/Myrmica/myrmica-start/test/chaincode-sdk/index.js:41:5)
at async /home/rqueraud/CATIE/Myrmica/myrmica-start/test/chaincode-sdk/index.js:57:5
Edit 3 : Docker IPs ? Trying with EC2 instances.
As #Urko mentionned, my nodes are in fact docker container running docker-in-docker (dind) images. Inside these containers are some other containers running the hyperledger peers, cli, ... images.
I access them from the host which is also where I run the fabric sdk nodejs client. I cannot access them via their container name, I think it is only possible in a docker-compose configuration, isn't it ? I already tried (see Edit 2 above) to add their name to my /etc/hosts to reach them via a name instead of an IP but it didn't change anything.
However, as my network startup is scripted, I deployed it using docker-machine in AWS instead of the dind docker containers this time, so these are real instances reachable on the internet. But I still encounter the same errors, here is the log from the peer where you can see this is coming from a public IP :
2020-09-24 08:32:57.653 UTC [core.comm] ServerHandshake -> ERRO 0d7 TLS handshake failed with error remote error: tls: handshake failure server=PeerServer remoteaddress=31.36.26.4:35462
It seems that the connection with your Peer have been defined to be secured by the TLS protocol. So, you may configure you Peer configuration to know wich certificates are you using at the TLS.
As when you connect to any server using this protocol, the communication among the parties is encripted using the certificate of the server (in this case, the Peer will be the server). So, you need to configure your client to trust on the server by the Root CA that haven been used to issue the Peers TLS certificates.
The client is where you use the SDK, so, you should configure it to trust on the Peer TLS certificate. When you configure the connection to the Blockchain nodes (peers and orderers), you would define their direction, as well as their TLS certificate. This one is an example that you can find at the following link. There, you have to define the value of the tlsCACerts param:
orderers:
orderer.example.com:
url: grpcs://localhost:7050
grpcOptions:
ssl-target-name-override: orderer.example.com
grpc-max-send-message-length: 4194304
tlsCACerts:
path: test/fixtures/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tlscacerts/example.com-cert.pem
peers:
peer0.org1.example.com:
url: grpcs://localhost:7051
grpcOptions:
ssl-target-name-override: peer0.org1.example.com
grpc.keepalive_time_ms: 600000
tlsCACerts:
path: test/fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlscacerts/org1.example.com-cert.pem
----- Edited ----
Also, you have to check the value of the ssl-target-name-override param. It should be the same to you nodes name, as you can see in the example file
----- Edited ----
Why are you using those IPs?! I understand that those IPs are internal from the Docker network, so you should not use them. Could you try using your containers names instead of the docker networks IPs?
----- Edited ----
Could you verify your ca-server configuration file and check that the tls is set to true?
You try a gRPC call in peer Server where peer server is secured with it's TLS system. So if you fail to provide the valid TLS certificate, server tls handshake will be failed and you will not get success to establish the connection.
Please check that your network config file is properly develop, also check that you are using the same TLS certificate that is used to run the peer server and your TLS certificate path is correct.
I am having the same problem with Hyperledger fabric 2.1.1, but I am able to run test network with default options, but when I try to run Fabcar javascript chaincode I get an error:
Error: error getting endorser client for channel: endorser client failed to connect to localhost:7051: failed to create new connection: connection error: desc = "transport: error while dialing: dial tcp 127.0.0.1:7051: connect: connection refused"
I have tried everything mentioned in thread Error deploying Fabric test-network fabcar chaincode, removed docker images, ran prune, removed organizations data and fired ./network.sh up createChannel -ca -c mychannel -s couchdb -i 2.1.1, but the error is still there. Also, my RAM is 16Gb, so the problem is not there. Any other suggestion, please ?
This situation is happened because you called a gRPC to 127.0.0.1:7051 server but your call failed to hit the server. This situation may happen for many reasons, but for most of the cases the situation is happened due to server down(server exit or down due to misconfiguration) or for wrong certificate or your call failed to hit the server due to misconfiguration.
Please check the following docker container and ensure that is running properly.
I have setup hyperledger fabric version 1.4.2 with 1 org 2 peers 1 orderer setup all are running in 3 different VMs natively. Now I am trying to implement caliper v0.3.0 in this fabric setup. Peers and Orderer are already up and peers are joined in the channel. I have modified the network config file and benchconfig file in caliper according to my network. So I directly run the caliper using the flag "caliper-flow-only-install". While executing this, I am facing issues like
error: [Orderer.js]: sendBroadcast - on error: "Error: 14 UNAVAILABLE: failed to connect to all addresses\n at Object.exports.createStatusError (/home/xx/caliper-benchmarks/node_modules/grpc/src/common.js:91:15)\n at ClientDuplexStream._emitStatusIfDone (/home/xx/caliper-benchmarks/node_modules/grpc/src/client.js:233:26)\n at ClientDuplexStream._receiveStatus (/home/xx/caliper-benchmarks/node_modules/grpc/src/client.js:211:8)\n at Object.onReceiveStatus (/home/xx/caliper-benchmarks/node_modules/grpc/src/client_interceptors.js:1306:15)\n at InterceptingListener._callNext (/home/xx/caliper-benchmarks/node_modules/grpc/src/client_interceptors.js:568:42)\n at InterceptingListener.onReceiveStatus (/home/xx/caliper-benchmarks/node_modules/grpc/src/client_interceptors.js:618:8)\n at /home/xx/caliper-benchmarks/node_modules/grpc/src/client_interceptors.js:1123:18"
2020.04.29-12:22:12.094 error [caliper] [caliper-engine] Error while performing "install" step: Error: Orderer error for instantiating W1CC#v0 in composerchannelrest: SERVICE_UNAVAILABLE
It seems the issue is with using incorrect docker container port mapping.
Use the host port rather docker container port.
You can even cross check connection to container with network utility.
For instance, nc -vz [host] [port]
Hope this resolves SERVICE_UNAVAILABLE error.
I'm running the fabcar example from fabric samples on a node. My fabric network is first-network (BYFN) run inside docker containers and I would like to invoke chaincode using a node.js fabric-client application on a separate node (Raspberry Pi).
In connection-org1.json file, I have replaced the localhost domain names (in the peer urls) with my own domain name (mydomain.com) where the fabric network is running.
I execute invoke.js on Raspberry Pi with the following modified gateway settings:
await gateway.connect(ccpPath, { wallet, identity: 'user1', discovery: { enabled: true, asLocalhost: false } });
This gives me an error message:
2019-07-04T07:15:30.124Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://peer0.org1.example.com:7051
2019-07-04T07:15:30.132Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: Failed to connect before the deadline URL:grpcs://peer0.org1.example.com:7051
2019-07-04T07:15:30.134Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://peer0.org2.example.com:9051
2019-07-04T07:15:30.135Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:1 - endorsement failed - Error: Failed to connect before the deadline URL:grpcs://peer0.org2.example.com:9051
Failed to submit transaction: Error: Endorsement has failed
I see that the domain names of the endorserers are the ones defined in the docker composer files, not the domain (mydomain.com) where my fabric network is running.
How should I configure the fabric network or the node.js fabric-client application so that I can invoke chaincode from my Raspberry Pi node?
I made a workaround where I extended the /etc/hosts file on my Raspberry Pi. I made the endorsing peer domain names peer0.org1.example.com and peer0.org2.example.com to point to the IP address of my host where I run the fabric network (docker).
This fixed the issue and now I'm able to invoke chaincode from the Raspberry Pi host.
It is solved, please see this: Connection timeout when installing chaincode using fabric-sdk-go
Dev ENV: Mac and Docker (3 CAs, 3 Orgs, 4 Peers)
Fabric SDK: fabric-sdk-go
Description: I use the sdk to install the chaincode but it errors out when sending proposal to the endorser. Seems that I cannot send the grpc request to the container. Things are working fine with the http request to the fabric CA containers.
ErrorMessage:
unable to verify if cc is installed on grpcs://peer1-xxxx:7051. Got error: lscc.getinstalledchaincodes failed: SendProposal failed: Transaction processing for endorser [peer1-xxxx:7051]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection timed out [peer1-xxxx:7051]