Add a new org - certificate signed by unknown authority - hyperledger-fabric

I'm trying to add a new org called Org4 in the fabric network generated by the script byfn. I'm following this tutorial http://hyperledger-fabric.readthedocs.io/en/latest/channel_update_tutorial.html
But I met an error when I try to do the "peer channel update" :
could not create channel Application sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org4.example.com"
I don't know why the certificate is not valid because I generated it the same way I did and succeed with Org3. Using cryptogen and I changed the config files by replacing 'Org3' to 'Org4'.
First I thought it was because I had already three orgs, but then I create a new network and try to add Org4. It didn't work, but if i try again to add Org3 it will work. So I'm confused about how just changing the name of the Org can impact the process.
Best Regards

Related

Procedure of replacing a root CA cert with another one of a different key pair in a fabric network?

What is the procedure of replacing a root CA cert with another one of a different key pair.
Q-1 : Is that required to follow config update steps to do as we do in add/remove org, since RCA need to change?
(Understood that changing the RCA require to reCreate all peers,nodes, identities as well)
When we use the default setup of fabric CA, then
it bootstraps the fabric ca server with bootstrap administrator - 'fabric-ca-server start -b admin:adminpw -d'
On enrolling the bootstrap administrator -
It creates the following in msp : cacerts, Keystore, sign certs (Set-A)
now when we have to create identities then it uses Set-A, and all such stuff also got bind to the genesis block as well, as certificate got configured via ConfigTX file, and that got stored in the config channel of fabric.
Q-2 : Now If we have to change the RCA's cacerts, Keystore, sign certs (Set-B), then what is the procedure to do that ?
Not found any guidelines or documents on this, It's just logically understood if that is possible then maybe follow the similar steps as we do in add/remove orgs.
Q-3: But even to replace all identities with new RCA along with RCA's cert, key pair etc, then I don't think existing data may work?
if the live network already has x data, but RCA's cacerts, Keystore, sign certs and all identities got changed and also updated the config file with config-update way as we do in add/remove orgs so it has new certificate info ?

Regarding admin/user identities created for Nodejs Client via Enrollment in Hyperledger Fabric

I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.

MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority

I have created Two Node. Node1 has Peer0.org1, CA and Orderer Service and Node2 have Peer0.org2 and Peer0.org3.
I can invoke and execute a query using fabric-client from peer0.org1 but When I tried same from peer0.org2 and peer0.org3 it's not working using API and it throws MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority error. However it's working from the CLI
Can anyone help me to resolve this?
Please check the endorsement policy on the chaincode. Most of the times this error is because your org2 and org3 are not part of endorsement policy.

Failed to initialize local MSP: admin 0 is invalid: could not obtain certification chain

I get this error when I am starting an orderer.
Failed to initialize local MSP: admin 0 is invalid: could not obtain certification chain: An X509 certificate with Basic Constraint: Certificate Authority equals true cannot be used as an identity
How can I resolve this?
I have the orderer running on a separate node from where I have generated the admin certs.
Possible this means that the admin certs on the orderer are invalid, or doesn't exist. For me it was expected to be in the following folder: [orderer org]/msp/admincerts/cert.pem but was not.
Ensure that admin certs generated for your orderer are correct, whether they are generated by cryptogen or with fabric-ca.

hyperledger fabric invoke.js "Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP]"

I am able to invoke my chaincode from docker cli successfully (fabric-shim).
i ran enrollAdmin.js and registerUser.js sucessfully,
but when i try to run invoke.js or query.js, i get Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP].
Though there are limited information shows above, the peer log give the essential hint about the problem:
WARN 044 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com"
Here is the suggestions that may help your to solve this problem:
Change your peer's logging level to DEBUG on docker-compose file, you will be more easily to find the solution followed by the debug information.
Make sure your CA container is running and its logs not throws out error, like some certifications verify error, which commonly causes by wrong configuration.
Now that the logs shows up some information about x509 ECDSA, which related to the signature and and the peers endorsement keycert. Also, this keycerts may storage on /tmp/hfc-key-store or any other place that you defined on you code. Try to clean up this temporary file and restart network again.
Noticed that your are using the fabric-sample repo, I think this problem may not caused by some code issues since you just modified a few parameters. So I recommend you to follow this tutorial to get the right step.
I came across similar issue.
I found out then channel name in network config and the channel I created was different. So I changed the channel name in the network config and it got fixed.

Resources