1) Can we use hyperledger fabric-ca to manage MSP.?
2) If yes how to configure it.?
3) Can we generate MSP using hyperledger fabric-ca?
I've found solution we can avoid using binaries and generate MSP using fabric-ca.
check fabric-samples in that fabric-ca directory, first run.
$: ./makeDocker.sh (this will generate docker-compose.yaml file)
then run
$: ./start.sh
this will spin up docker containers and install sample chaincode and enroll peer and orderer users on fabric-ca
Related
Background
We have a production fabric cluster setup and has been been running for a year. Now most of the certs expire and the cluster crash, including both tls and identity certs.
I tried to fix by completely removing old certs and private keys, generate and enroll new identities for peer, peer admin, orderer, orderer admin.
Everything works again, but I cannot instantiate/upgrade chaincode in existing channel because the channel was configured with old admin certs.
Problem
So now look like I'm stuck in a deadlock. In order to update channel config with new cert, I need to sign the update with matching old cert, which is already expired and blocked by orderer.
I find out that we can disable expired cert check in orderer using ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true. But now I don't have the old admin private key so I still cannot update the channel config.
Questions
I already replaced old private keys with new one so there is no way to use the old cert again.
Can I do something to resolve this channel issue?
Suggestions are greatly appreciated.
[!] What I'm suggesting is an idea. I haven't tested it.
[!] It seems to be feasible enough, but side-effect is not considered.
[!] It's just a trick, it's correct that it should never be done.
The conclusion is that the orderer and peer's binary can be artificially manipulated and updated.
For fabric, refer to $GOROOT/src/crypto when building binary.
Build in the fabric repository after artificially modifying all ecdsa verify functions in crypto to return true immediately.
cd $GOROOT/src/crypto
vi ecdsa/ecdsa.go # modify `Verify` function
cd $GOPATH/src/github.com/hyperledger/fabric
make peer
make orderer
Back up the binaries of the currently running docker container, and rerun after planting the newly built binaries in the container.
docker cp <peer_container_name>:/usr/local/bin/peer ./
docker cp $GOPATH/src/github.com/hyperledger/fabric/build/bin/peer <peer_container_name>:/usr/local/bin/peer
docker cp <orderer_container_name>:/usr/local/bin/orderer ./
docker cp $GOPATH/src/github.com/hyperledger/fabric/build/bin/orderer <orderer_container_name>:/usr/local/bin/orderer
docker-compose -f <your_docker_compose_file_path> restart
Now all verify is valid unconditionally. so, update all recent status.
Afterwards, the backed up binary is replanted into the container to solve this problem.
docker cp ./peer <peer_container_name>:/usr/local/bin/peer
docker cp ./orderer <orderer_container_name>:/usr/local/bin/orderer
docker-compose -f <your_docker_compose_file_path> restart
I have successfully installed a Fabric 2.0 test-network and I would like to use a 3rd party CA for user verification. So here are the steps that I have done:
./network.sh up createChannel -ca
./network.sh deployCC
The commands above have successfully created a test-network.
Then I copied both of my 3rd party Root CA and Intermediate CA Cert into the MSP folder of peer0.org1.example.com. The MSP folder now looks like this:
~/fabric-samples/test-network/organizations/peerOrganizations/org1.example.org/peers/peer0.org1.example.com/msp
|
|- cacerts
| |- localhost-7054-ca-org1.pem
| |- RootCA.pem
|- intermediatecerts
| |- IntermediateCA.pem
|...
|..
|.
Then I modified the CA Certificate for Client OU in the config.yaml:
ClientOUIdentifier:
Certificate: intermediatecerts/IntermediateCA.pem
OrganizationalUnitIdentifier: client
Once done, I restarted the peer by running this command:
docker restart peer0.org1.example.com
The restart was successful. However, when I tried to invoke the chaincode using a certificate issued by the 3rd Party Intermediate CA, the peer returned this error:
[endorser] Validate -> WARN 02a access denied: channel the supplied identity is not valid: x509: certificate signed by unknown authority channel=mychannel txID=ca408ba9
The certificate has an OU=client which I think should be alright. Is there anything else I should do to fix this issue?
P/S: When I tried to invoke the chaincode using a certificate issued by the Fabric-CA, it works like a charm although the config.yaml has been modified.
Thanks guys!
The genesis block of the channel contains MSP information.
If the MSP has changed, it must be updated to the channel.
There are two ways.
before create channel, you should change crypto-config files
after create channel, using configtxlator
I am trying to run the startFabric.sh script but it fails with the following error.
There are already several solutions posted for this problem. I went through almost all of them changing the FABRIC_CFG_PATH variable, running byfn.sh before this etc. etc.
Still can not resolve!!
Can you make sure that you can run
./network.sh up
inside
fabric-samples/test-network/
?
The error you are getting maybe result of one of the followings:
You have an incomplete fabric-samples folder, OR
You do not have appropriate permission to access the folder which has config.yaml file. In this case, it's
fabric-samples/test-network/organizations/ordererOrganizations/example.com/msp
You do not have certificates generated for the orgs.
Please share more info, so it's easier to navigate through the problem
P.S. The fabcar example in Fabric 2.1 uses test-network instead of first-network used in previous versions. So, running byfn.sh would not be of much help.
Use FABRIC_CFG_PATH=$PWD/../config/ with your $PWD set to ~/fabric-samples/fabcar
Also check that configtx.yaml exists in ~/fabric-samples/test-network/configtx
i am trying to run the fabric network and getting the following error.
peer1.org2.example.com | 2019-08-09 19:37:30.561 UTC [main] InitCmd ->
ERRO 001 Cannot run peer because error when setting up MSP of type bccsp
from directory /etc/hyperledger/fabric/msp: could not load a valid signer certificate
from directory /etc/hyperledger/fabric/msp/signcerts: stat /etc/hyperledger/fabric/msp/signcerts:
no such file or directory
I also tried to find the directory in the crypto-config folder and don't see signcerts folder there as well. I am not sure if
cryptogen generate --config=./crypto-config.yaml
generates this folder or not.
I am using docker-compose to run the fabric network. and I have following two mounts
../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
Please suggest.
cryptogen generates the crypto-config directory but to avoid your error. you should run following commands by making changes according to your system path.
docker exec -it cli bash
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
CORE_PEER_LOCALMSPID="Org1MSP"
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
So the issue was, the folder it generates is inside the
crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcert
and i was looking in the
crypto-config/peerOrganizations/org1.example.com/msp
also one mount was wrong. Another things with orderer was relative mapping ./ instead of ../
Thanks for your help #adarshJha
It would be grateful if someone helps me out with this. I do wanted to access the certificates and keys from the common storage . if i give the path it is creating a folder near msp and creating the certificates.
I tired by changing the path in docker-compose.yml file. The path changed but it is creating near the msp folder.
I wanted to know , where the default path must be changed.
fabric-ca-client allows you to specify the directory in which keys/certificates will be stored created by using the -M option:
fabric-ca-client enroll -u http://enrollid:enrollsecret#myca:7054 -M /path/to/myfolder
If you are using Docker to run the fabric-ca-client and want to make the key/certs available outside the Docker container, you will need to mount an external volume.
So let's say you want to store the key/certs in the /var/mycerts directory on your host system. You can do:
docker run --rm -v /var/mycerts:/var/mycerts hyperledger/fabric-ca fabric-ca-client enroll -u http://enrollid:enrollsecret#myca:7054 -M /var/mycerts