I am able to register & enroll peer/orderer identity with fabric-ca. Now I want to generate tls certs and key for that. Does anyone know how to do that?
Any reference/steps would be helpful
Use the -m and --enrollment.profile flags with the fabric-ca-client ( https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html ).
fabric-ca-client enroll -m $HOSTNAME --enrollment.profile tls ...
$HOSTNAME is host to use (e.g. peer0.org1.example.com, localhost, peer0). If you need to supply multiple SANS, you can use the --csr.hosts option which takes a comma-separated list. Fabric CA has a built-in tls profile which issues X509 certs with the proper extended key usages.
Related
I have successfully installed a Fabric 2.0 test-network and I would like to use a 3rd party CA for user verification. So here are the steps that I have done:
./network.sh up createChannel -ca
./network.sh deployCC
The commands above have successfully created a test-network.
Then I copied both of my 3rd party Root CA and Intermediate CA Cert into the MSP folder of peer0.org1.example.com. The MSP folder now looks like this:
~/fabric-samples/test-network/organizations/peerOrganizations/org1.example.org/peers/peer0.org1.example.com/msp
|
|- cacerts
| |- localhost-7054-ca-org1.pem
| |- RootCA.pem
|- intermediatecerts
| |- IntermediateCA.pem
|...
|..
|.
Then I modified the CA Certificate for Client OU in the config.yaml:
ClientOUIdentifier:
Certificate: intermediatecerts/IntermediateCA.pem
OrganizationalUnitIdentifier: client
Once done, I restarted the peer by running this command:
docker restart peer0.org1.example.com
The restart was successful. However, when I tried to invoke the chaincode using a certificate issued by the 3rd Party Intermediate CA, the peer returned this error:
[endorser] Validate -> WARN 02a access denied: channel the supplied identity is not valid: x509: certificate signed by unknown authority channel=mychannel txID=ca408ba9
The certificate has an OU=client which I think should be alright. Is there anything else I should do to fix this issue?
P/S: When I tried to invoke the chaincode using a certificate issued by the Fabric-CA, it works like a charm although the config.yaml has been modified.
Thanks guys!
The genesis block of the channel contains MSP information.
If the MSP has changed, it must be updated to the channel.
There are two ways.
before create channel, you should change crypto-config files
after create channel, using configtxlator
I checkout project fabric-samples and run file startFabric.sh to start Fabric blockchain network. After that, I run node enrollAdmin.js to enroll the new admin
Now, I want to use the command line of fabric-ca-client to add a new user to org1. I execute the commands below:
Access to ca_peerOrg1 docker
docker exec -it ca_peerOrg1 bash
I check the value of
$FABRIC_CA_CLIENT_HOME is unset
$FABRIC_CA_HOME is /etc/hyperledger/fabric-ca-server
Go to /etc/hyperledger/fabric-ca-server directory and check command
fabric-ca-client
And run this command
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
But it occurs error below:
Anyone could help? Thanks for reading
I just encountered the same problem. For anyone who is interested, this error indicates fabric-ca-server is running with TLS enabled.
To get rid of this error, you need to make the following changes to the fabric-ca-client command:
use https instead of http in the url
use ca host name instead of localhost in the url
provide the TLS cert file for the server's listening port via --tls.certfile
e.g. fabric-ca-client enroll -u https://admin:adminpw#ca.org0.example.com:7054 --tls.certfiles /certs/ca/ca.org0.example.com-cert.pem
The TLS cert file was generated by fabric-ca-server at startup. The default file location is $FABRIC_CA_SERVER_HOME/tls-cert.pem. Otherwise, the location is specified by $FABRIC_CA_SERVER_TLS_CERTFILE or fabric-ca-server-config.yaml
I know the problem "This identity is not an admin" is widely reported, but this is a specific case. I have read a lot of issues here and at Jira and I see no problem close to mine.
What I am trying to do is to join a channel from a peer in a full custom Hyperledger 1.4 network where I have not used cryptogen. The problem I am getting is exactly this one:
2019-09-25 14:02:43.340 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][global]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
I know that I have to use an admin identity to make the channel connection proposal, which I am doing by enrolling as the org admin. Once it is done, I just join the peer (code below). Of course, CORE_PEER_ variables are correctly set and ADMIN_NAME and ADMIN_PASSWORD exist.
# Get admin identity
ORG_ADMIN_HOME=/data/orgs/${ORG}/admin
ORG_ADMIN_CERT=/data/orgs/${ORG}/msp/admincerts/cert.pem
if [[ ! -d ${ORG_ADMIN_HOME} ]]; then
echo "[INFO] Enrolling admin '${ADMIN_NAME}' with ${CA_NAME} ..."
export FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_HOME}
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}#${CA_URL}
mkdir -p $(dirname "${ORG_ADMIN_CERT}")
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_CERT}
mkdir ${ORG_ADMIN_HOME}/msp/admincerts
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
fi
export CORE_PEER_MSPCONFIGPATH=${ORG_ADMIN_HOME}/msp
# Join channel
peer channel join -b ${GENESIS_FILE}
I got the admin identity by register it before this with another script that does the next:
# Enroll CA Admin
export FABRIC_CA_CLIENT_HOME=$HOME/cas/${CA_NAME}
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Register ORG Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
My question is, if I registered the Org Admin and I am able to enroll as it, why do I get the This identity is not an admin error? Does it have any sense?
Thank you
EDIT: What I am doing right now (It is reduced, not a direct copy of the code, so there are some changes mainly related to paths and folders).
I run a container called register-org that does the following:
# Enroll as CA Admin
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Get CA Certs
fabric-ca-client getcacert -d -u https://${CA_URL} -M ${ORG_MSP_DIR}
# Register Org Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}#${CA_URL}
# I download then ${ORG_ADMIN_HOME}/msp/admincerts/cert.pem and save it
The next container is the peer itself, where I do:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Generate Server TLS Key and Certs
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Generate Client TLS Key and Certificate
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Enroll peer
fabric-ca-client enroll -d -u ${ENROLLMENT_URL} -M ${CORE_PEER_MSPCONFIGPATH}
# Start peer
peer node start
Finally, I run the join-peer-channel container, where I do:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASS}#${CA_URL}
# Join the channel
peer channel join -b ${GENESIS_FILE}
# AND IT FAILS AGAIN.
Are you sure that the admin's certificate is really in the peer's admin folder?
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
Are you doing this inside the peer container/VM ?
we get this error whenever we try to run fabric-ca-client. Example below:
# fabric-ca-client register --url https://ica-org:7054 --id.name user-org --id.affiliation=org
2019/03/19 20:18:07 [INFO] Configuration file location: /home/fabric-ca-client-config.yaml
2019/03/19 20:18:07 [INFO] TLS Enabled
2019/03/19 20:18:07 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
How can we fix this?
This happens when fabric-ca-client cannot find any X509 or Idemix identity. fabric-ca-client needs to be initialized with an identity (except when its being used to enroll a user). It first tries to load an X509 identity from the mspdir location specified in the fabric-ca-client-config.yaml file or the -M command line argument which takes precedence over mspdir in config file. And if its not able to find X509 identity it will look for an idemix identity. If this fails as well it displays the error in question.
For X509 identity:
its public cert needs to be in signcerts
and private key needs to be in keystore
and the public cert of the authority who issued the public/private keypair needs to be in cacerts folder (if an intermediate ca was used then its cert needs to be in intermediatecerts)
all the folders above are under the mspdir
Solution 1
A potential cause if the folder indicated by FABRIC_CA_CLIENT_HOME is not created you'll get that error. You have to check if FABRIC_CA_CLIENT_HOME points to an existing folder. This happens too when indicating a wrong MSP path
exp
fabric-ca-client gencrl -M ~/wrong_path
Solution2:
Resolution to issue fabric-ca-client identity list command is as follows:
start the network with the CA option
./network.sh up -ca
after the network is up, navigate to (assumes you are already in the test-network directory):
cd organizations/peerOrganizations/org1.example.com
export cert path using this command:
export FABRIC_CA_CLIENT_TLS_CERTFILES=$PWD/ca/ca.org1.example.com-cert.pem
export fabric-ca-client home using this command:
export FABRIC_CA_CLIENT_HOME=$PWD
issue the following command:
fabric-ca-client identity list
Since you use TLS, you should be using the --tls.certfiles flag or set the FABRIC_CA_CLIENT_TLS_CERTFILES environment variable when using the fabric-ca-client command. This should hold the full path to your organisation's TLS certificate.
I am following the instructions in the docs to generate an ecert with test attributes. But I am not being able to do it. I am using fabric-ca-client version 1.1.0-preview which according to this issue, should have support for attribute certificates (I have also tried more recent versions).
What I do:
Enroll the admin:
$ export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca;
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
Register the client:
$ fabric-ca-client register --id.name user1 --id.secret user1pw --id.type user --id.affiliation org1 --id.attrs attr1=val1:ecert
Enroll the client:
$ export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca/clients/user1; fabric-ca-client enroll -u http://user1:user1pw#localhost:7054
But then, openssl x509 -in /etc/hyperledger/fabric-ca/clients/user1/msp/signcerts/cert.pem -text -noout shows a certificate without attributes.
Questions:
Is it even possible to generate certificates with attributes using the fabric-ca-client utility? According to this issue "The "fabric-ca-client register" CLI command will be enhanced to support ...". But then, in the main documentation, it is explained as if it is already possible to do it.
If it is indeed possible, what am I doing (or may be doing) wrong? Since I am using the admin identity to register and enroll the new ecert, I assume there are no restrictions as to what attributes I may add to ecerts (however, I have also tried to follow the conditions stated here).
If it is not possible, what is the recommended way to do it? Does generation with any of the SDKs work?
Thanks.
Solved.
It turns out I was not using fabric-ca-client version 1.1.0-preview. With that version, the sequence of commands in the question correctly generate certificates with attributes.