In the Hyperledger Fabric documentation it states to use the fabric-ca-client reenroll if a certificate is about to expire.
Should it work also after a certificate has already expiry?
After doing the reenroll request I get the following below:
reenroll: x509: certificate has expired or is not yet valid
Are there any other options to renew already expired certificates?
According to the official document, MSP identities never expire. You should be able to reenroll the admin identity.
However, you can also enroll the admin identity again if you have the enrollment secret.
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
I faced the same issue for the admin user and solved it by running the below command
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/crypto-config/peerOrganizations/org1.example.com/tlsca/ca/ca.org1.example.com-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/crypto-config/hyperledger/tls-ca/admin
fabric-ca-client reenroll -d -u https://admin:adminpw#ca.org1.example.com:7054 --caname ca-org1
You will get two .pem files
Stored client certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/signcerts/cert.pem
Stored root CA certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/cacerts/ca-org1-example.com-com-7054-ca-org1.pem
But I didn't find any documentation for javascript libraries to use reenroll function. if anyone has please post links
Related
Hello Can you help me to find a way to renew the certitifcate expire date I have serach alot but didno't find any good help
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client reenroll
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
Set FABRIC_CA_CLIENT_HOME every time you enroll the any peer or admin or user because it will create fabric-ca-client-config.yaml which are require to re-enroll certificate before it will expire
I am using cryptogen to generate all of the crypto material for the Fabric network I am building. I can successfully bring the network up and deploy chaincode. However, I am running into problems when trying to register a new user. I am following along with the asset-transfer-private-data tutorial, and after deploying the chaincode, I run
fabric-ca-client register --caname ca.org1 --id.name org1-client --id.secret org1-password --id.type client --mspdir ./config/crypto-config/peerOrganizations/org1/msp
and get the error
2020/10/03 12:20:11 [INFO] Configuration file location: /home/user/network3.2/config/crypto-config/peerOrganizations/org1/fabric-ca-client-config.yaml
2020/10/03 12:20:11 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
There is no fabric-ca-client-config.yaml file. The mspdir I specify has the directories signcerts, keystore, and cacerts which according to Hyperledger Fabric: Enrollment check failed: Idemix enrollment information does not exist are needed. However, both the signcerts and keystore directories are empty whereas they should include a public cert and a private key respectively.
How can I generate these files? Thanks.
For Idemix, you can use idemixgen tool.
But both cryptogen tool and idemixgen tool are used for testing purpose. For production level use, you have to use Hyperledger Fabric CA.
cryptogen is an utility for generating Hyperledger Fabric key material. It is provided as a means of preconfiguring a network for testing purposes. It would normally not be used in the operation of a production network.
Link: https://hyperledger-fabric.readthedocs.io/en/release-2.2/commands/cryptogen.html?highlight=cryptogen#cryptogen
cryptogen is a utility to quickly allow you to generate crypto material to get things started. It does not have any direct ties to Fabric CA (intentionally).
The only thing you can do is to leverage the CA key pair generated for each organization (under the ca folder) as the root key pair used when starting up an instance of Fabric CA.
I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.
How i can replicate the following command using the fabric node sdk
fabric-ca-client enroll -d -u https://peer1-org2:peer1PW#0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer1-org2
Below is what i am doing but ca gives me the normal enrolment certificates not the tls ones. When i am using the fabric-ca-client for the tls certificates it gives me the tls certificates and my network runs successfully but when i use the fabric node client for the same it gives me the tls handshake error. I know i have to pass csr.hosts peer1-org2 but csr params in the below request require csr generated by the openssl that i dont want to use i want to rely on the default functionality of the fabric node sdk which generate it by it self.
let enrollment = await ca.enroll({ enrollmentID: ordererName, enrollmentSecret: admnSecret, profile: `tls` });
#Arun
what you mentioned command is correct for TLS
let enrollment = await ca.enroll({ enrollmentID: ordererName, enrollmentSecret: admnSecret, profile: `tls` });
Understand the profile TLS:
When a CA sign a particular identity it needs some details like what you are trying to do with the newly generated identity, you need to provide these details and CA will internally use these instructions and make available in the new identities in the form of extensions
How to verify TLS?
Parse the certificate by using an online tool and you should see below information under Extensions Section then you can use this certificate and privcatekey for TLS
TLS Web Server Authentication, TLS Web Client Authentication
keyUsage
Digital Signature, Key Encipherment
extendedKeyUsage
TLS Web Server Authentication, TLS Web Client Authentication
basicConstraints
CA:FALSE
authorityKeyIdentifier
keyid:10:FC:A9:5A:4D:91:7A:5A:58:4E:BC:5A:8F:86:24:DD:B9:54:D3:F2:24:B1:9E:08:75:EC:7E:46:08:8D:28:3B
subjectAltName
DNS:peer0.hype, DNS:peer0, DNS:localhost, DNS:hype-peer0-hype, DNS:hype-peer1-hype
I am trying to deploy a production Hyperledger Fabric network on kubernetes and when trying out the example from fabric-ca sample, I can see that the pod running fabric-ca-tools is not generating and giving an error at line number 51 from setup-fabric.sh in function registerOrdererIdentities where the ORDERER is registered with CA for identity using command fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer. It fails to register and says,Error: Response from server: Error Code: 0 - Registration of 'orderer1-org0failed: Identity 'orderer1-org0' is already registered
.
I am not able to understand, that if the identity was not previously registered by root-ca and intermediate ca then why this error is coming.
Stuck here from a long time, any help is appreciated.
This error is thrown whenever you try to re-register an identity which is already registered. So that means you have already run fabric-ca-client register command for --id.name orderer1-org0. The next step would be you enrol orderer1-org0 with the appropiate password and in return you will recieve certificate and private key. from CA server.The interesting part is, now I am searching a way where I can edit attributes of already generated certificate. Kind of like edit it at the first place. But I keep getting this error. For a moment I though that revoking the certificate will make it work but nonetheless that only made a requirement to run fabric-ca-client reenroll Unable to find any help anywhere.