How can we implement TLS in first-network?i have tried by adding the below section in peers.What is the need to configure peers by Tls?
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
I am working on multi organisation network setup using first network of fabric samples.one of the organisation say org1 has created a channel by passing tls certs of orderer ,the other organisation org2 has to fetch the channel created by org1 and join the peers into the channel.when i do fetch action using peer channel fetch by passing tls certs of orderer ,i got the error like
peer channel fetch config-o orderer.example.com:7050 -c channelone1 -f --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
connection error: desc = "transport: Error while dialing dial tcp 98.124.199.121:7050: connect: connection refused". Reconnecting...
and in orderer logs ,i got error as :
TLS handshake failed with error tls: client didn't provide a certificate {"server": "Orderer", "remote address": "172.24.0.4:49608"}
Created the channel using:
peer channel create -o orderer.example.com:7050 -c channelone1 -f ./channel-artifacts/channel-one.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
Output is: Received block is 0
By default the first-network will start with TLS enabled.
The four environment variables you refer to are included in the file base/peer-base.yaml the the peer-base file is "included" by use of the extends: and file: base/docker-compose-base.yaml
Related
I am unsure of this is suitable for this forum as this is a technical question. I will add it anyway to see if anyone has any technical skills here.
I am running fabcar from Hyperledger Fabric 2.0 and the invoke works from the invoke.js program but fails using the CLI and peer chaincode. I have tried a few combinations without any success.
The command -
peer chaincode invoke -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com --tls $CORE_PEER_TLS_ENABLED --cafile ~/fabric-samples/test-network/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles ~/fabric-samples/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:9051 --tlsRootCertFiles ~/fabric-samples/test-network/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -C mychannel -n fabcar -c '{"Args":["createCar","CAR300", "VW", "Polo", "Grey", "Mary"]}'
Error -
Error: error getting endorser client for invoke: endorser client failed to connect to peer0.org1.example.com:7051: failed to create new connection: connection error: desc = "transport: error while dialing: dial tcp: lookup peer0.org1.example.com: no such host"
Docker containers:
86b85d99b510/dev-peer0.org2.example.com-fabcar_4-2561b83e10218324c7c566345c50373c5f0b501c961992264dc7fa321eaa5f7f/
f0725155e976/dev-peer0.org1.example.com-fabcar_4-2561b83e10218324c7c566345c50373c5f0b501c961992264dc7fa321eaa5f7f/
e2e33a38f61b/peer0.org2.example.com/7051/tcp, 0.0.0.0:9051->9051/tcp
a59f7011af8c/peer0.org1.example.com/0.0.0.0:7051->7051/tcp
f395bed7101d/couchdb1/4369/tcp, 9100/tcp, 0.0.0.0:7984->5984/tcp
b3b7b94ed872/couchdb0/4369/tcp, 9100/tcp, 0.0.0.0:5984->5984/tcp
db56371abe59/orderer.example.com/0.0.0.0:7050->7050/tcp
ddcabab0b13c/ca_org2/7054/tcp, 0.0.0.0:8054->8054/tcp
d7b2bd0a94bc/ca_orderer/7054/tcp, 0.0.0.0:9054->9054/tcp
e0e300be2273/ca_org1/0.0.0.0:7054->7054/tcp
This situation is happened because you called a gRPC to peer server but your call failed to hit the server. This situation may happen for many reasons, but for most of the cases the situation is happened due to server down(peer server exit or down due to misconfiguration) or for wrong certificate or your call failed to hit the server due to misconfiguration.
Use "docker container ls -a" to see all containers including the exited one.
I have set up a network with raft ordering service (5 orderers), 2 orgs and one peer each, the TLS and client authentication are both enabled. I have created the channel and joined it successfully, but I am getting TLS handshake failed error when updating the anchor peer from cli to orderer, and I am not able to create a second channel for the same error. Besides this TLS error why I was able to create the first channel I am very confused, surely incorrect configs causing that.
CLI Commands:
export ORDERER_CA=crypto/ordererOrganizations/example.com/tlsca/ca-chain.pem
export CLIENT_KEY_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.key
export CLIENT_CERT_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.pem
*Worked: peer channel create -o orderer0.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls --cafile $ORDERER_CA --clientauth --keyfile $CLIENT_KEY_FILE --certfile $CLIENT_CERT_FILE
*Worked: peer channel join -b muchannel.block
*FAILED: peer channel update -o orderer0.example.com:7050 -c mychannel -f ./channel-artifacts/anchors_channel.tx --tls --cafile $ORDERER_CA --clientauth --keyfile $CLIENT_KEY_FILE --certfile $CLIENT_CERT_FILE
CLI yaml config:
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.pem
- CORE_PEER_TLS_KEY_FILE=crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=crypto/peerOrganizations/org1.example.com/tlsca/ca-chain.pem
- CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
- CORE_PEER_TLS_CLIENTCERT_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.pem
- CORE_PEER_TLS_CLIENTKEY_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.key
Orderer yaml config:
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[crypto/ordererOrganizations/example.com/tls/ca-chain.pem]
- ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
- ORDERER_GENERAL_TLS_CLIENTROOTCAS=[crypto/ordererOrganizations/example.com/tlsca/ca-chain.pem,crypto/peerOrganizations/org1.example.com/tlsca/ca-chain.pem,crypto/peerOrganizations/org2.example.com/tlsca/ca-chain.pem]
Try running the command with following environment in your CLI container:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_LOCALMSPID=OrdererMSP
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin#example.com/msp
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
export CHANNEL_NAME=mychannel
This is because issuing channel update transaction requires updating the channel configuration file, which according to your present policies, must be signed by an Orderer Organization admin.
I have a problem with instantiating chaincode in Hyperledger fabric Network with comm:
peer chaincode instantiate -o orderer.ex.com:7050 -C roaming -n chaincode -v 1.1 -c '{"Args":[]}' -P "AND ('ORG1MSP.member')" --tls --cafile /etc/hyperledger/fabric/config/ca.crt
The peer is joined the channel and chaincode is installed on it.
The log of orderer is:
ERRO 029 TLS handshake failed with error tls: oversized record received with length 64774 server=Orderer
WARN 02a Error reading from 172.16.0.81:34562: rpc error: code = Canceled desc = context canceled
INFO 02b streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.16.0.81:34562 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call
WARN 02c Error reading from 172.16.0.81:35318: rpc error: code = Canceled desc = context canceled
In the log of the peer - nothing interesting.
The error looks like the client is trying to communicate speak HTTP/GRPC to a server expecting HTTPS/GRPCS (or viceversa)
If your fabric network endpoints are not encrypted, remove the --tls and --cafile flags.
Otherwise, make sure to use an encrypted endpoint for the orderer (e.g. orderer.ex.com:443 if it's exposed via HTTPS with an ingress controller) and the peer as well (CORE_PEER_ADDRESS)
I have also found when enabling TLS that the following environment variables are needed in addition to the --tls and --cafile above:
CORE_PEER_TLS_ROOTCERT_FILE=/path/to/ca/pem (e.g. `letsencryptauthorityx3.pem`)
CORE_PEER_TLS_ENABLED=true
I am getting an error when following the tutorial for adding an new organization in the channel .
The command I typed is
./eyfn.sh up
The output below is the error I got.
+ res=1
+ set +x
+ peer channel join -b mychannel.block
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt
CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key
CORE_PEER_LOCALMSPID=Org3MSP
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/Admin#org3.example.com/msp
CORE_PEER_ID=Org3cli
CORE_LOGGING_LEVEL=INFO
CORE_PEER_ADDRESS=peer0.org3.example.com:7051
2018-06-19 22:08:40.019 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: rpc error: code = Unknown desc = chaincode error (status: 500, message: Cannot create ledger from genesis block, due to LedgerID already exists))
Usage:
peer channel join [flags]
Flags:
-b, --blockpath string Path to file containing genesis block
Global Flags:
--cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
--certfile string Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint
--clientauth Use mutual TLS when communicating with the orderer endpoint
--keyfile string Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
--logging-level string Default logging level and overrides, see core.yaml for full syntax
-o, --orderer string Ordering service endpoint
--ordererTLSHostnameOverride string The hostname override to use when validating the TLS connection to the orderer.
--tls Use TLS when communicating with the orderer endpoint
-v, --version Display current version of fabric peer server
peer0.org3 failed to join the channel, Retry after 3 seconds
Specifically the error in the outputs seems to be this,
Error: proposal failed (err: rpc error: code = Unknown desc = chaincode error (status: 500, message: Cannot create ledger from genesis block, due to LedgerID already exists))
I am following instructions from the http://hyperledger-fabric.readthedocs.io/en/release-1.1/channel_update_tutorial.html.
Any guidance seem to be helpful.
Run this command
./byfn.sh -m down
And then run
./eyfn.sh up
Hope this help!
I am adding new org I am getting this error
Error: failed to create deliver client: orderer client failed to
connect to orderer.example.com:7050: failed to create new connection:
context deadline exceeded
while doing this
peer channel fetch 0 mychannel.block -o orderer.example.com:7050 -c
$CHANNEL_NAME --tls --cafile $ORDERER_CA
Error resolved prblem was containers were with different network it works if all the conatiners are in same network