Hyperledger Fabric CA Tool not generating identity - hyperledger-fabric

I am trying to deploy a production Hyperledger Fabric network on kubernetes and when trying out the example from fabric-ca sample, I can see that the pod running fabric-ca-tools is not generating and giving an error at line number 51 from setup-fabric.sh in function registerOrdererIdentities where the ORDERER is registered with CA for identity using command fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer. It fails to register and says,Error: Response from server: Error Code: 0 - Registration of 'orderer1-org0failed: Identity 'orderer1-org0' is already registered
.
I am not able to understand, that if the identity was not previously registered by root-ca and intermediate ca then why this error is coming.
Stuck here from a long time, any help is appreciated.

This error is thrown whenever you try to re-register an identity which is already registered. So that means you have already run fabric-ca-client register command for --id.name orderer1-org0. The next step would be you enrol orderer1-org0 with the appropiate password and in return you will recieve certificate and private key. from CA server.The interesting part is, now I am searching a way where I can edit attributes of already generated certificate. Kind of like edit it at the first place. But I keep getting this error. For a moment I though that revoking the certificate will make it work but nonetheless that only made a requirement to run fabric-ca-client reenroll Unable to find any help anywhere.

Related

Hyperledger Fabric: Why doesn't cryptogen generate all the necessary crypto material to register new users?

I am using cryptogen to generate all of the crypto material for the Fabric network I am building. I can successfully bring the network up and deploy chaincode. However, I am running into problems when trying to register a new user. I am following along with the asset-transfer-private-data tutorial, and after deploying the chaincode, I run
fabric-ca-client register --caname ca.org1 --id.name org1-client --id.secret org1-password --id.type client --mspdir ./config/crypto-config/peerOrganizations/org1/msp
and get the error
2020/10/03 12:20:11 [INFO] Configuration file location: /home/user/network3.2/config/crypto-config/peerOrganizations/org1/fabric-ca-client-config.yaml
2020/10/03 12:20:11 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
There is no fabric-ca-client-config.yaml file. The mspdir I specify has the directories signcerts, keystore, and cacerts which according to Hyperledger Fabric: Enrollment check failed: Idemix enrollment information does not exist are needed. However, both the signcerts and keystore directories are empty whereas they should include a public cert and a private key respectively.
How can I generate these files? Thanks.
For Idemix, you can use idemixgen tool.
But both cryptogen tool and idemixgen tool are used for testing purpose. For production level use, you have to use Hyperledger Fabric CA.
cryptogen is an utility for generating Hyperledger Fabric key material. It is provided as a means of preconfiguring a network for testing purposes. It would normally not be used in the operation of a production network.
Link: https://hyperledger-fabric.readthedocs.io/en/release-2.2/commands/cryptogen.html?highlight=cryptogen#cryptogen
cryptogen is a utility to quickly allow you to generate crypto material to get things started. It does not have any direct ties to Fabric CA (intentionally).
The only thing you can do is to leverage the CA key pair generated for each organization (under the ca folder) as the root key pair used when starting up an instance of Fabric CA.

How can you reenroll an admin certificate for a Hyperledger Fabric peer if it is already expired

In the Hyperledger Fabric documentation it states to use the fabric-ca-client reenroll if a certificate is about to expire.
Should it work also after a certificate has already expiry?
After doing the reenroll request I get the following below:
reenroll: x509: certificate has expired or is not yet valid
Are there any other options to renew already expired certificates?
According to the official document, MSP identities never expire. You should be able to reenroll the admin identity.
However, you can also enroll the admin identity again if you have the enrollment secret.
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
I faced the same issue for the admin user and solved it by running the below command
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/crypto-config/peerOrganizations/org1.example.com/tlsca/ca/ca.org1.example.com-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/crypto-config/hyperledger/tls-ca/admin
fabric-ca-client reenroll -d -u https://admin:adminpw#ca.org1.example.com:7054 --caname ca-org1
You will get two .pem files
Stored client certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/signcerts/cert.pem
Stored root CA certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/cacerts/ca-org1-example.com-com-7054-ca-org1.pem
But I didn't find any documentation for javascript libraries to use reenroll function. if anyone has please post links

Regarding admin/user identities created for Nodejs Client via Enrollment in Hyperledger Fabric

I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.

hyperledger fabric invoke.js "Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP]"

I am able to invoke my chaincode from docker cli successfully (fabric-shim).
i ran enrollAdmin.js and registerUser.js sucessfully,
but when i try to run invoke.js or query.js, i get Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP].
Though there are limited information shows above, the peer log give the essential hint about the problem:
WARN 044 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com"
Here is the suggestions that may help your to solve this problem:
Change your peer's logging level to DEBUG on docker-compose file, you will be more easily to find the solution followed by the debug information.
Make sure your CA container is running and its logs not throws out error, like some certifications verify error, which commonly causes by wrong configuration.
Now that the logs shows up some information about x509 ECDSA, which related to the signature and and the peers endorsement keycert. Also, this keycerts may storage on /tmp/hfc-key-store or any other place that you defined on you code. Try to clean up this temporary file and restart network again.
Noticed that your are using the fabric-sample repo, I think this problem may not caused by some code issues since you just modified a few parameters. So I recommend you to follow this tutorial to get the right step.
I came across similar issue.
I found out then channel name in network config and the channel I created was different. So I changed the channel name in the network config and it got fixed.

Add a new org - certificate signed by unknown authority

I'm trying to add a new org called Org4 in the fabric network generated by the script byfn. I'm following this tutorial http://hyperledger-fabric.readthedocs.io/en/latest/channel_update_tutorial.html
But I met an error when I try to do the "peer channel update" :
could not create channel Application sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org4.example.com"
I don't know why the certificate is not valid because I generated it the same way I did and succeed with Org3. Using cryptogen and I changed the config files by replacing 'Org3' to 'Org4'.
First I thought it was because I had already three orgs, but then I create a new network and try to add Org4. It didn't work, but if i try again to add Org3 it will work. So I'm confused about how just changing the name of the Org can impact the process.
Best Regards

Resources