I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.
Related
In the Hyperledger Fabric official website, it states to use the fabric-ca-client reenroll if a certificate is about to expire. I tried to reenoll the certificates but an x.509 error occurred:
[grpc] createTransport -> DEBU bab grpc: addrConn.createTransport failed to connect to {orderer:7050 0 }. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
I have used the same CA to reenroll the certificate, I don't know why "unknown authority" error shown.
It would be grateful if anyone can give me a full steps for replacing the admin certificate for the Hyperledger Fabric.
You can use akc-dcm-cli. It support renew user of Hyperledger Fabric by running command:
dcm certificate renew --parent-cert=../data/intermediate-ca/signcerts/ica-cert.pem
--parent-private-key=../data/intermediate-ca/keystore/ica-key.pem
--old-cert=../data/peer/output/peer-cert.pem
--old-private-key=../data/peer/keystore/peer-key.pem
--output=../data/peer/output/renew-peer-cert.pem
--days=365
parent-cert and parent-private-key are key-pair of CA
old-cert and old-private-key are key-pair of expired user
output is the path of new cert
After renewing the cert, you replace the expired cert of the user with the new cert. Keep current private key of user' cert
I noticed that HLf admincerts and tls certs, by default, have an expiration date of 1 year. In my case, they have expired and my orderer and peer nodes are giving me a bad certificate error.
Is there any way to do certificate rotation? I don't want to loose any data as the network is in a production enviroment. I am using hyperledger fabric 1.4 version with the raft ordering service.
You can change the default expiry time of an x509 certificate by changing its duration in the fabric-ca-server configuration file. You'll find this file inside CA's docker container.
Reference to the fabric-ca-server configuration file can be found here.
Change the value of expiry from 8760h to xxxx in the signing section of the file. signing section looks like this:
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
After changing the value of expiry, you'll have to restart your CA container for the changes to take effect.
Once your container is restarted, re-enroll your admin to create a new x509 certificate with the updated expiry duration. You can read about reenrolling an identity from here.
If you want to avoid such scenarios in the future for any user, you can reenroll it before doing a transaction. You can perform the re-enroll operation if the certificate has already expired or going to expire in the next x amount of time.
I am on fabric v2.3 and using Fabric CA.
When we re-enroll the peers, orderer or admin it will generate a new pair of certifcates.
Please correct me if i am wrong, these newly generated certificates needs to be updated in the channel configuration as well? At least this is what the doc says here
I tried to follow the doc and it does contains the root_certs and tls_certs which we need to replace. A usual sample config block after decoding it into json files looks something like this. The respective certs needs to replaced here which seems quite error prone since it's manual and a lot of certs needs to be replaced (depending on the number of peers, orderers, and organisations you've got). And, also not to forget these certs are referenced by the ccp.yaml and ccp.json as well which is used by the fabric sdk.
I am not sure if my understanding is correct about this, as I am struggling with this thing as well. I haven't been able to successfully pull this of as of now. It's strange that hyperledger fabric/Fabric CA doesn't really has a straightforward way of doing this.
Our case: k8s, fabric v2.2, mutual tls requied for all hyperledger connections, certificates expired 3 days ago.
First of all we need to pass through expired tls. Add to the orderer config:
ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT: 120h
ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS: "true"
The latest parameter will allow to use expired MSP entities later.
To skip tls checks on the peer side, use the --tlsHandshakeTimeShift 120h parameter.
After the connection was restored, we need to update certificates in the blockchain. Unfortunately there is no analog of the _NOEXPIRATIONCHECKS option for the peer, so we need to use a time-shifted environment. I didn't manage to run the one in the kubernetes, so I had to use a notebook with ntp disabled and port-forwarded orderer endpoint. Be aware that if your kubernetes authentication is token-based, it can stop working because of having the incorrect time. In Azure, this is fixed by getting admin config.
That environment should be enough for step-by-step replaying of your standard certificate rotating scripts. If you don't have any, dive into this issue.
In the Hyperledger Fabric documentation it states to use the fabric-ca-client reenroll if a certificate is about to expire.
Should it work also after a certificate has already expiry?
After doing the reenroll request I get the following below:
reenroll: x509: certificate has expired or is not yet valid
Are there any other options to renew already expired certificates?
According to the official document, MSP identities never expire. You should be able to reenroll the admin identity.
However, you can also enroll the admin identity again if you have the enrollment secret.
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
I faced the same issue for the admin user and solved it by running the below command
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/crypto-config/peerOrganizations/org1.example.com/tlsca/ca/ca.org1.example.com-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/crypto-config/hyperledger/tls-ca/admin
fabric-ca-client reenroll -d -u https://admin:adminpw#ca.org1.example.com:7054 --caname ca-org1
You will get two .pem files
Stored client certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/signcerts/cert.pem
Stored root CA certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/cacerts/ca-org1-example.com-com-7054-ca-org1.pem
But I didn't find any documentation for javascript libraries to use reenroll function. if anyone has please post links
I get this error when I am starting an orderer.
Failed to initialize local MSP: admin 0 is invalid: could not obtain certification chain: An X509 certificate with Basic Constraint: Certificate Authority equals true cannot be used as an identity
How can I resolve this?
I have the orderer running on a separate node from where I have generated the admin certs.
Possible this means that the admin certs on the orderer are invalid, or doesn't exist. For me it was expected to be in the following folder: [orderer org]/msp/admincerts/cert.pem but was not.
Ensure that admin certs generated for your orderer are correct, whether they are generated by cryptogen or with fabric-ca.
I'm trying to add a new org called Org4 in the fabric network generated by the script byfn. I'm following this tutorial http://hyperledger-fabric.readthedocs.io/en/latest/channel_update_tutorial.html
But I met an error when I try to do the "peer channel update" :
could not create channel Application sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org4.example.com"
I don't know why the certificate is not valid because I generated it the same way I did and succeed with Org3. Using cryptogen and I changed the config files by replacing 'Org3' to 'Org4'.
First I thought it was because I had already three orgs, but then I create a new network and try to add Org4. It didn't work, but if i try again to add Org3 it will work. So I'm confused about how just changing the name of the Org can impact the process.
Best Regards