I am running the fabric ca server using the docker container and using the fabric node for enrolling and register the users. when, I enroll the admin through fabric node its works fine, its create the wallet folder. When i am trying to register the user its throw the error saying
Failed to register user : Error: Calling register endpoint failed with
error [Error: self signed certificate]
Please any suggestion would be appreciated.
The register command should look like:
fabric-ca-client register -d --id.name $ORG_ADMIN --id.secret $ORG_ADMIN_PASSWORD --id.type client --id.affiliation $ORG_AFFILIATION
The fabric-ca-client-config.yaml inside your FABRIC_CA_CLIENT_HOME should look like:
url: https://ca.org0.domain.tld:7054
mspdir: msp
tls:
certfiles: ca-tls.pem
csr:
names:
- C: US
ST: New York
L: New York
O: Org0
OU: Department0
caname: org0-ca
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
Please check url and tls.certfiles (if your CA is using TLS).
The msp directory must contain the CA administrator's credentials after enrolling it in the previous step.
Related
I'm getting this error when i am trying to create a channel by running .
peer channel create -o orderer.aj.io:7050 -c channel1 -f /config/channel1.tx
Here are my logs ------------
2019-10-21 05:50:13.950 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
What this error means is that the user you are using to create the channel does not have 'Write' permissions, in other words is not an Admin.
In most cases this happens when you use the peers cryptographic material to create the channel instead of the Admins (check where the CORE_PEER_MSPCONFIGPATH environment variable points).
As another user mentioned in another post: there is a new feature in 1.4.3 which allows you to specify an OU for admin rather than explicitly putting certificates in the admincerts folder.
In your crypto-config, you set EnableNodeOUs: true and this automatically enables OUs for all supported roles.
You'll see something like
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: orderer
in the msp/config.yaml file ( in your case in crypto-config/peerorganisation/org1.example.com/msp/crypto.yaml).
Note the AdminOUIdentifier field. This means that any cert issued by the CA for your org which contains an OU=admin is now considered an admin. The certificate generated for the admin user under your org MSP is also generated with OU=admin (e.g. Subject: C=US, ST=California, L=San Francisco, OU=admin, CN=Admin#sampleorg ).
Another reason could be that in your configtx.yaml you haven't set properly your policies for each section(that was my problem).
Check the configtx.yaml file from the first-network sample and try to set them accordingly
I'm trying to setup Idemix based on the following documentation that I found:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemix.html
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#getting-idemix-cri-certificate-revocation-information
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemixgen.html
But when invoking a transaction, i received the error below:
$ docker exec -e "CORE_PEER_LOCALMSPTYPE=idemix" -e "CORE_PEER_LOCALMSPID=Org1IdemixMSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/User1#org1.example.com" cli peer chaincode query -C channel1 -n chaincode1 -c '{"Args":["query","a"]}'
Error: error getting default signer: error obtaining the default signing identity: no default signer setup
Steps that I took:
Register a user User1#org1.example.com to fabric CA fabric-ca-client register --id.name User1#org1.example.com --id.secret mysecret --id.type client --id.affiliation org1 --id.attrs role=2 -u http://localhost:7054
Enroll the user and created an idemix identity fabric-ca-client enroll --enrollment.type idemix -u http://User1#org1.example.com:mysecret#localhost:7054
Rename $USER1_DIR/msp/IssuerRevocationPublicKey to $USER1_DIR/msp/RevocationPublicKey. During transaction invocation, the name RevocationPublicKey is expected, not IssuerRevocationPublicKey
Prepare the idemix msp. I copied IssuerPublicKey and IssuerRevocationPublicKey of the CA to the msp folder. I need to rename IssuerRevocationPublicKey to RevocationPublicKey else configtxgen will complain
In configtx.yaml, add an Idemix MSP
- &Org1Idemix
Name: Org1IdemixMSP
# ID to load the MSP definition as
ID: Org1IdemixMSP
msptype: idemix
MSPDir: crypto-config/peerOrganizations/org1idemix.example.com/
Policies: &Org1IdemixMSPPolicies
Readers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1IdemixMSP.admin')"
Create genesis block, channel block, start network etc2 (as usual)
Try to query transaction and the aforementioned error appears
I did some troubleshooting and based on idemixgen documentation, I found out that I need to put a default signer into the idemix msp i.e. in the user folder. So I placed User1#org1.example.com's SignerConfig file into the user folder and rerun configtxgen. I received the following error:
Error loading MSP configuration for org: Org1IdemixMSP: unexpected EOF
Next I did some comparing with the SignerConfig generated by idemixgen and SignerConfig of User1#org1.example.com. The one generated by idemixgen cannot be opened while the other one is a .json file (shown below), so the format is different. Running configtxgen Using the SignerConfig generated by idemixgen is successful. I want to try to invoke transactions by identities generated by idemixgen but there is no way to generate an identity except for the default signer.
{
"Cred": "CkQKIK/7Slvg7laNMv8n7urCKpRN4gTZJZ7xQUyqPQ0GskWFEiCq/aRBmXlQAnSeJLXViGEHLRoztSCoHU6PDXaft+STexJECiB1dosl0QwT5dR/iNwfj0UvWZLph5U6fTMUVjYXE3W/UhIg6U+q6S9xMZhL7SHYe/v//Vhsw7X7N+93Ha4qQiWu0OIaIKcFZamTWwD5VQppZDEdxv5nr4DZAOn/S0r3gchLFG66IiD7kc8IZFRji8ub7yS5ueK8ZcLm5o+WR9a7wAx7o6fKQCogieDBP6ZS9S2R/JDVaLcAcNbtGlnF2fRS37GyoZmxko4qIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKiArm8Pnrt+hrBAk1PD9trARpE6XVbdfXN+27uSe9r8uxCogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=",
"Sk": "LwrgRX48aewbqKWrvNjo5VFfNSDIJAvdaR4brzOsnWM=",
"organizational_unit_identifier": "org1",
"enrollment_id": "User1#org1.example.com",
"credential_revocation_information": "CAESiAEKIP4MM1C0yWwgKFYPV3wokTrOHFOaEr+EPNImFraJwJ77EiBOpmBXc4rAVNta4cY32BO5JN144ofQNYnSae00o35qKxogcCBG58VCo7N2dw11Ek4+Ue/LJHWNYVhI6Qm0gb7cJ/8iIAVU47zTiMKQQu6mSSl+sp+LTL6AghqYs+ASgRFKrQSbGmgwZgIxAJRyRpR+k3SaAVRm4GM3l+zBU6V/7g73C9RQIU9kPef9XqVl0Gb+hQqrgd1HsTQ5GgIxANb6XNB+CrrQgwbt6msa0SG+aQKpSl48EeP/V7beUkshNubudBS+WjS+PRbf5aW0Nw=="
}
Repo here: https://github.com/aldredb/idemix-sample
I went deep with the code...
if you interested, you can find the GetIdemixMspConfig function in msp/configbuilder.go at fabric 1.4 release branch.
in this function, we can see it will attempt loading a signconf with proto type.
However, we enroll the msp with ca client cli and which returns us a json...
I searched some topic as Unable to unmarshal json to protobuf struct field
In my point of view, that proto Unmarshal will fail with json format.
I have updated composer [cli,playground,rest server etc..] from v.0.16.5 to v 0.19.0. After deploying the network when I try to ping the network it first throws an error and then connects to it on the second try. Why is this happening? How can I activate the current identity admin as in error?
composer network ping -c admin#university
Error: Error trying to ping. Error: 2 UNKNOWN: error executing chaincode: transaction returned with failure: Error: The current identity, with the name 'admin' and the identifier '01899e04161a3a6d64670504fa122e55818295352929b6a616333a3739fde3f2', must be activated (ACTIVATION_REQUIRED)
Command failed
composer network ping -c admin#university
The connection to the network was successfully tested: university
Business network version: 0.0.1
Composer runtime version: 0.19.0
participant: org.hyperledger.composer.system.NetworkAdmin#admin
identity: org.hyperledger.composer.system.Identity#76edd946537645ea0016455a076e32dd10daac1e39fb75200d737b78dbca675d
Command succeeded
When an Identity is first used it has an Enrollment ID and Secret, and a status of "ISSUED". After the first use the Secret is invalidated and Certificates are passed to the client Wallet and the ID has a status of "ACTIVATED".
You can see these different states in this example output from composer identity list command:
$class: org.hyperledger.composer.system.Identity
identityId: 3a1f3c629ef2106b138836f3c9e5fe1ac8358c60a4a1232c5ef1a16a805ab313
name: mary
issuer: ac3dbcbe135ba48b29f97665bb103f8260c38d3872473e584314392797c595f3
certificate:
state: ISSUED
participant: resource:org.acme.mynetwork.Trader#mary
-
$class: org.hyperledger.composer.system.Identity
identityId: 57d1f173c6a9a7f789d243749de16340fee8bf383748d47ac360f846e5c238b9
name: mark
issuer: ac3dbcbe135ba48b29f97665bb103f8260c38d3872473e584314392797c595f3
certificate:
"""
-----BEGIN CERTIFICATE-----
MIICbTCCAhOgAwIBAgIUWHvLyD+Vs6YE1KTpCm1LlQej728wCgYIKoZIzj0EAwIw
czELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
biBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT
E2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTgwNDAzMTExNjAwWhcNMTkwNDAzMTEy
MTAwWjAtMRwwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMQ0wCwYDVQQDEwRt
YXJrMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAER3WsqouV+M07SG8gMExLFCZs
8aUSsH8hMRUhKjibzV8fE/JJMOitoLSRpa/KU24p9IiDqBPZY/QdszTE5wzbuqOB
yjCBxzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7EL5
azn+RHinsX6EvEFZeQ5/II4wKwYDVR0jBCQwIoAgGatlq7sEgH2tEuTAqaqmZJ5w
ho46vQIXoyLYnkfhpq4wWwYIKgMEBQYHCAEET3siYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJvcmcxIiwiaGYuRW5yb2xsbWVudElEIjoibWFyayIsImhmLlR5cGUi
OiJjbGllbnQifX0wCgYIKoZIzj0EAwIDSAAwRQIhAJSXtjEMu/8xkd0uLzJOP91h
JdHa57ihiPkxOjRGqthTAiAMFrhY0gu/yUxN9cuLdmt/tNaile8W2/Kt+yZBW+ng
gg==
-----END CERTIFICATE-----
"""
state: ACTIVATED
participant: resource:org.acme.mynetwork.Trader#t01
The composer identity list command gives a server side view, but a client side view can be seen with composer card list :
composer card list -c mary
userName: mary
description:
businessNetworkName: tutorial-network
identityId:
roles: none
connectionProfile:
name: hlfv1
x-type: hlfv1
credentials: One time use only secret set
composer card list -c mark#tutorial-network
userName: mark
description:
businessNetworkName: tutorial-network
identityId: 57d1f173c6a9a7f789d243749de16340fee8bf383748d47ac360f846e5c238b9
roles: none
connectionProfile:
name: hlfv1
x-type: hlfv1
credentials: Credentials set
So your transition from 'Activation Required' to activitated is OK, but what is unusual is the "command failed" - what is normal is that the transition from ISSUED to ACTIVATED is hidden from the user, and the first ping works!
I prepared multi-organization with Fabric CA environment by following tutorial. This tutorial itself was worked with no problem.
Deploying a Hyperledger Composer blockchain business network to Hyperledger Fabric (multiple
organizations)
https://hyperledger.github.io/composer/unstable/tutorials/deploy-to-fabric-multi-org.html
In this environment, I'm trying Fabric CA client commands on both ca_peerOrg1 and host environment. I copied tls crt, public key and private key from crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/ and tried following command, but I got error "x509: certificate is valid for ca.org1.example.com, not localhost".
linux1#fabric:~$ fabric-ca-client enroll --caname ca-org1 --tls.certfiles ca.crt --tls.client.certfile Admin#org1.example.com-cert.pem --tls.client.keyfile 0dbfd9d156b90331e6bc4a0529e07cb123f7de586935019499623062f182a8fa_sk -u https://admin:adminpw#localhost:7054
2017/12/19 16:34:35 [INFO] User provided config file: /home/linux1/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/12/19 16:34:35 [INFO] generating key: &{A:ecdsa S:256}
2017/12/19 16:34:35 [INFO] encoded CSR
2017/12/19 16:34:35 [INFO] TLS Enabled
Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost]; not sending
POST https://localhost:7054/enroll
Authorization: Basic YWRtaW46YWRtaW5wdw==
{"hosts":["fabric"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOzCB4wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI8Y4aR/YxeyMXIQ3\nHGydrTLaoI+6tZ57ho1uv6gNonbFfftE7lrdsIbL8d8QLimztDjtqkg6rk612nso\nD66M9aAkMCIGCSqGSIb3DQEJDjEVMBMwEQYDVR0RBAowCIIGZmFicmljMAoGCCqG\nSM49BAMCA0cAMEQCIH9u2w9xO43Ba5rJ1SCKgtEFfokj1DKhg2cHjnbu8ucEAiBn\nwZKjjSbQage+ElofYbgagWpuCFz0t57Zwycz22M00w==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":"ca-org1"}
linux1#fabric:~$
How can I avoid this error ? When I'm looking at the tutorial, I realized that composer connection profile has configuration like "hostnameOverride": "ca.org1.example.com". I guess I need to do same kind for fabric-ca-client.
I am new to Hyperledger Fabric and i am trying to register the fabric client with the server locally. here is what i have done so far.
go get -u github.com/hyperledger/fabric-ca/cmd/...
fabric-ca-server start -b admin:adminpw
after that i got the logs
2017/12/11 13:26:09 [INFO] Home directory for default CA:
/home/akash/fabric-demo 2017/12/11 13:26:09 [INFO] Listening on
http://0.0.0.0:7054
then i tried to register the fabric client with server by using the following commands
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
and I got the following logs
2017/12/11 13:28:48 [INFO] Stored client certificate at
/home/akash/fabric-ca/clients/admin/msp/signcerts/cert.pem 2017/12/11
13:28:48 [INFO] Stored CA root certificate at
/home/akash/fabric-ca/clients/admin/msp/cacerts/localhost-7054.pem
but when i tried to register the client then i got the following error
fabric-ca-client register --id.name admin --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert'
2017/12/11 13:37:05 [INFO] Configuration file location:
/home/akash/fabric-ca/clients/admin/fabric-ca-client-config.yaml
Error: Error response from server was: Authorization failure
on the fabric-server side i got the following logs
2017/12/11 13:37:05 [ERROR] No certificates found for provided serial and aki
Can anyone tell what i am doing wrong here.
The sequence to obtain new user certificates is to 1) register and then 2) enroll.
For the bootstrap admin (enrollment id:admin) this is already registered when the CA server is started (thus providing the secret when starting the instance). As such, you are able to run the enroll command for admin.
Not too sure what you are trying to do here, but if you are:
1) trying to register a new user. You have to use a new unique enrollment id (not admin)
2) updating the affiliation of the admin enrollment id, refer to the fabric-ca-client command to update an identity (https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html)