To generate genesis block using configtxgen we have to pass configtx.yaml file In that file we have to pass msp directory path of each organization and orderer organization. . Now in production environment all generated msp's of organizations will not be in same directory due to private key and all peers will be in different geographical location .
In such cases how can we pass msp directory path of peers and organizations in configtx.yaml?
Related
I have successfully installed a Fabric 2.0 test-network and I would like to use a 3rd party CA for user verification. So here are the steps that I have done:
./network.sh up createChannel -ca
./network.sh deployCC
The commands above have successfully created a test-network.
Then I copied both of my 3rd party Root CA and Intermediate CA Cert into the MSP folder of peer0.org1.example.com. The MSP folder now looks like this:
~/fabric-samples/test-network/organizations/peerOrganizations/org1.example.org/peers/peer0.org1.example.com/msp
|
|- cacerts
| |- localhost-7054-ca-org1.pem
| |- RootCA.pem
|- intermediatecerts
| |- IntermediateCA.pem
|...
|..
|.
Then I modified the CA Certificate for Client OU in the config.yaml:
ClientOUIdentifier:
Certificate: intermediatecerts/IntermediateCA.pem
OrganizationalUnitIdentifier: client
Once done, I restarted the peer by running this command:
docker restart peer0.org1.example.com
The restart was successful. However, when I tried to invoke the chaincode using a certificate issued by the 3rd Party Intermediate CA, the peer returned this error:
[endorser] Validate -> WARN 02a access denied: channel the supplied identity is not valid: x509: certificate signed by unknown authority channel=mychannel txID=ca408ba9
The certificate has an OU=client which I think should be alright. Is there anything else I should do to fix this issue?
P/S: When I tried to invoke the chaincode using a certificate issued by the Fabric-CA, it works like a charm although the config.yaml has been modified.
Thanks guys!
The genesis block of the channel contains MSP information.
If the MSP has changed, it must be updated to the channel.
There are two ways.
before create channel, you should change crypto-config files
after create channel, using configtxlator
i am trying to run the fabric network and getting the following error.
peer1.org2.example.com | 2019-08-09 19:37:30.561 UTC [main] InitCmd ->
ERRO 001 Cannot run peer because error when setting up MSP of type bccsp
from directory /etc/hyperledger/fabric/msp: could not load a valid signer certificate
from directory /etc/hyperledger/fabric/msp/signcerts: stat /etc/hyperledger/fabric/msp/signcerts:
no such file or directory
I also tried to find the directory in the crypto-config folder and don't see signcerts folder there as well. I am not sure if
cryptogen generate --config=./crypto-config.yaml
generates this folder or not.
I am using docker-compose to run the fabric network. and I have following two mounts
../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
Please suggest.
cryptogen generates the crypto-config directory but to avoid your error. you should run following commands by making changes according to your system path.
docker exec -it cli bash
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
CORE_PEER_LOCALMSPID="Org1MSP"
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
So the issue was, the folder it generates is inside the
crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcert
and i was looking in the
crypto-config/peerOrganizations/org1.example.com/msp
also one mount was wrong. Another things with orderer was relative mapping ./ instead of ../
Thanks for your help #adarshJha
It would be grateful if someone helps me out with this. I do wanted to access the certificates and keys from the common storage . if i give the path it is creating a folder near msp and creating the certificates.
I tired by changing the path in docker-compose.yml file. The path changed but it is creating near the msp folder.
I wanted to know , where the default path must be changed.
fabric-ca-client allows you to specify the directory in which keys/certificates will be stored created by using the -M option:
fabric-ca-client enroll -u http://enrollid:enrollsecret#myca:7054 -M /path/to/myfolder
If you are using Docker to run the fabric-ca-client and want to make the key/certs available outside the Docker container, you will need to mount an external volume.
So let's say you want to store the key/certs in the /var/mycerts directory on your host system. You can do:
docker run --rm -v /var/mycerts:/var/mycerts hyperledger/fabric-ca fabric-ca-client enroll -u http://enrollid:enrollsecret#myca:7054 -M /var/mycerts
we get this error whenever we try to run fabric-ca-client. Example below:
# fabric-ca-client register --url https://ica-org:7054 --id.name user-org --id.affiliation=org
2019/03/19 20:18:07 [INFO] Configuration file location: /home/fabric-ca-client-config.yaml
2019/03/19 20:18:07 [INFO] TLS Enabled
2019/03/19 20:18:07 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
How can we fix this?
This happens when fabric-ca-client cannot find any X509 or Idemix identity. fabric-ca-client needs to be initialized with an identity (except when its being used to enroll a user). It first tries to load an X509 identity from the mspdir location specified in the fabric-ca-client-config.yaml file or the -M command line argument which takes precedence over mspdir in config file. And if its not able to find X509 identity it will look for an idemix identity. If this fails as well it displays the error in question.
For X509 identity:
its public cert needs to be in signcerts
and private key needs to be in keystore
and the public cert of the authority who issued the public/private keypair needs to be in cacerts folder (if an intermediate ca was used then its cert needs to be in intermediatecerts)
all the folders above are under the mspdir
Solution 1
A potential cause if the folder indicated by FABRIC_CA_CLIENT_HOME is not created you'll get that error. You have to check if FABRIC_CA_CLIENT_HOME points to an existing folder. This happens too when indicating a wrong MSP path
exp
fabric-ca-client gencrl -M ~/wrong_path
Solution2:
Resolution to issue fabric-ca-client identity list command is as follows:
start the network with the CA option
./network.sh up -ca
after the network is up, navigate to (assumes you are already in the test-network directory):
cd organizations/peerOrganizations/org1.example.com
export cert path using this command:
export FABRIC_CA_CLIENT_TLS_CERTFILES=$PWD/ca/ca.org1.example.com-cert.pem
export fabric-ca-client home using this command:
export FABRIC_CA_CLIENT_HOME=$PWD
issue the following command:
fabric-ca-client identity list
Since you use TLS, you should be using the --tls.certfiles flag or set the FABRIC_CA_CLIENT_TLS_CERTFILES environment variable when using the fabric-ca-client command. This should hold the full path to your organisation's TLS certificate.
1) Can we use hyperledger fabric-ca to manage MSP.?
2) If yes how to configure it.?
3) Can we generate MSP using hyperledger fabric-ca?
I've found solution we can avoid using binaries and generate MSP using fabric-ca.
check fabric-samples in that fabric-ca directory, first run.
$: ./makeDocker.sh (this will generate docker-compose.yaml file)
then run
$: ./start.sh
this will spin up docker containers and install sample chaincode and enroll peer and orderer users on fabric-ca