I had created a hyperledger fabric channel [channel1] with two peer organizations**(Org1,Org2)** and one orderer organization (OrdererOrg), and there are one peer (peer0.org1.com/peer0.org2.com) in each peer organization and three orderer nodes**[Orderer0, Orderer1, Orderer 2]** in the orderer organization. After joining ordering nodes and peers into the channel and setting [peer0.org1.com] and [peer0.org2.com] as anchor peers, the follow errors are printed in peer logs:
peer0.org1.com
2021-04-14 10:53:08.108 CST [core.comm] ServerHandshake -> ERRO 1a2 Server TLS handshake failed in 962.117µs with error remote error: tls: bad certificate server=PeerServer remoteaddress=127.0.0.1:58281
2021-04-14 10:53:09.112 CST [core.comm] ServerHandshake -> ERRO 1a3 Server TLS handshake failed in 2.162124ms with error remote error: tls: bad certificate server=PeerServer remoteaddress=127.0.0.1:58283
2021-04-14 10:53:10.836 CST [core.comm] ServerHandshake -> ERRO 1a4 Server TLS handshake failed in 1.629684ms with error remote error: tls: bad certificate server=PeerServer remote address=127.0.0.1:58285
peer0.org2.com
2021-04-14 10:53:11.107 CST [gossip.gossip] func1 -> WARN 12f Deep probe of localhost:20000 for channel channel1 failed: context deadline exceeded
2021-04-14 10:53:11.108 CST [gossip.discovery] func1 -> WARN 130 Could not connect to Endpoint: localhost:20000, InternalEndpoint: localhost:20000, PKI-ID: <nil>, Metadata: : context deadline exceeded
configtx.yaml
core.yaml of [peer0.org1.com]
core.yaml of [peer0.org2.com]
The tutorials I followed:
Creating a channel
I solved the problem by add an folder named tlscacerts to the organization msp.
Noticed that in the test-network /test-network/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/
enter image description here
copy your tls root ca certificate into it.
I'm trying to access my peer through the fabric-network nodejs sdk.
However, I encounter an error during the gateway.connect in the sdk and the logs I find in the peer container is not helpful.
All I have, even with the grpc=debug logging mode is :
peer0.catie-test | 2020-09-21 13:27:07.731 UTC [core.comm] ServerHandshake -> ERRO 087 TLS handshake failed with error remote error: tls: handshake failure server=PeerServer remoteaddress=172.17.0.1:49918
peer0.catie-test | 2020-09-21 13:27:07.731 UTC [grpc] handleRawConn -> DEBU 088 grpc: Server.Serve failed to complete security handshake from "172.17.0.1:49918": remote error: tls: handshake failure
Any way to have more helpful logs ? I would like to know, for example, which key are used for the TLS handshake check.
Edit with more infos: Configuration files and TLS verification
My peer is configured with TLS with the env variables :
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/crypto/peer/tls-msp/keystore/key.pem
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/crypto/peer/tls-msp/signcerts/cert.pem
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/crypto/peer/tls-msp/tlscacerts/tlsca.catie-test-cert.pem
I have the correct tlscacert of my peer on the client side, because the output from the peer and from client side are the same:
cat /etc/hyperledger/crypto/peer/tls-msp/tlscacerts/tlsca.catie-test-cert.pem # From the peer, output ZTd/o8LLw== at the end
cat /tmp/fabric-start-catie-test/building/artifacts/peer0.catie-test-crypto/tls-msp/tlscacerts/tlsca.catie-test-cert.pem # From the client, output ZTd/o8LLw== at the end
Path to the peer tlscacert is filled in the client side connection-profile.json :
"peers": {
"peer0.catie-test": {
"tlsCACerts": {
"path": "/tmp/fabric-start-catie-test/building/artifacts/peer0.catie-test-crypto/tls-msp/tlscacerts/tlsca.catie-test-cert.pem"
},
"grpcOptions":{
"ssl-target-name-override": "172.17.0.7",
"grpc.keepalive_time_ms": 10000
},
"url": "grpcs://172.17.0.4:7051",
"eventUrl": "grpcs://172.17.0.4:7053"
}
}
And I also checked that the tlsCAcert is the one that generated my peer cert :
openssl verify -CAfile $CORE_PEER_TLS_ROOTCERT_FILE $CORE_PEER_TLS_CERT_FILE # Output : /etc/hyperledger/crypto/peer/tls-msp/signcerts/cert.pem: OK
Edit 2 : Grpc option, peer name instead of IP and client logs
Also tried adding the grpcOptions to the peer section of the connection-profile.json (see the updated paragraph above) but it didn't change anything.
Also tried to add peer name to my /etc/hosts to reach my peer via its name instead of its IP. It makes a warning disappear but don't solve my problem and I prefer to work with IPs in my scripts.
Here are the logs of the nodejs sdk client in case it helps to diagnose the problem, but it only says that the Endorser must be connected and I think it is, because it reaches my peer as I have this TLS error in my peer's logs.
(node:59350) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an IP address is not permitted by RFC 6066. This will be ignored in a future version.
2020-09-23T06:42:20.704Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: peer0.catie-test, url:grpcs://172.17.0.7:7051, connected:false, connectAttempted:true
2020-09-23T06:42:20.705Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server peer0.catie-test url:grpcs://172.17.0.7:7051 timeout:3000
2020-09-23T06:42:20.708Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser peer0.catie-test due to Error: Failed to connect before the deadline on Endorser- name: peer0.catie-test, url:grpcs://172.17.0.7:7051, connected:false, connectAttempted:true
at checkState (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/#grpc/grpc-js/build/src/client.js:69:26)
at Timeout._onTimeout (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/#grpc/grpc-js/build/src/channel.js:292:17)
at listOnTimeout (internal/timers.js:549:17)
at processTimers (internal/timers.js:492:7) {
connectFailed: true
}
(node:59350) UnhandledPromiseRejectionWarning: Error: Endorser must be connected
at Channel.addEndorser (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-common/lib/Channel.js:259:10)
at buildChannel (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-network/lib/impl/ccp/networkconfig.js:50:21)
at Object.loadFromConfig (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-network/lib/impl/ccp/networkconfig.js:34:19)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Gateway.connect (/home/rqueraud/CATIE/Myrmica/myrmica-start/node_modules/fabric-network/lib/gateway.js:279:13)
at async queryChaincode (/home/rqueraud/CATIE/Myrmica/myrmica-start/test/chaincode-sdk/index.js:41:5)
at async /home/rqueraud/CATIE/Myrmica/myrmica-start/test/chaincode-sdk/index.js:57:5
Edit 3 : Docker IPs ? Trying with EC2 instances.
As #Urko mentionned, my nodes are in fact docker container running docker-in-docker (dind) images. Inside these containers are some other containers running the hyperledger peers, cli, ... images.
I access them from the host which is also where I run the fabric sdk nodejs client. I cannot access them via their container name, I think it is only possible in a docker-compose configuration, isn't it ? I already tried (see Edit 2 above) to add their name to my /etc/hosts to reach them via a name instead of an IP but it didn't change anything.
However, as my network startup is scripted, I deployed it using docker-machine in AWS instead of the dind docker containers this time, so these are real instances reachable on the internet. But I still encounter the same errors, here is the log from the peer where you can see this is coming from a public IP :
2020-09-24 08:32:57.653 UTC [core.comm] ServerHandshake -> ERRO 0d7 TLS handshake failed with error remote error: tls: handshake failure server=PeerServer remoteaddress=31.36.26.4:35462
It seems that the connection with your Peer have been defined to be secured by the TLS protocol. So, you may configure you Peer configuration to know wich certificates are you using at the TLS.
As when you connect to any server using this protocol, the communication among the parties is encripted using the certificate of the server (in this case, the Peer will be the server). So, you need to configure your client to trust on the server by the Root CA that haven been used to issue the Peers TLS certificates.
The client is where you use the SDK, so, you should configure it to trust on the Peer TLS certificate. When you configure the connection to the Blockchain nodes (peers and orderers), you would define their direction, as well as their TLS certificate. This one is an example that you can find at the following link. There, you have to define the value of the tlsCACerts param:
orderers:
orderer.example.com:
url: grpcs://localhost:7050
grpcOptions:
ssl-target-name-override: orderer.example.com
grpc-max-send-message-length: 4194304
tlsCACerts:
path: test/fixtures/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tlscacerts/example.com-cert.pem
peers:
peer0.org1.example.com:
url: grpcs://localhost:7051
grpcOptions:
ssl-target-name-override: peer0.org1.example.com
grpc.keepalive_time_ms: 600000
tlsCACerts:
path: test/fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlscacerts/org1.example.com-cert.pem
----- Edited ----
Also, you have to check the value of the ssl-target-name-override param. It should be the same to you nodes name, as you can see in the example file
----- Edited ----
Why are you using those IPs?! I understand that those IPs are internal from the Docker network, so you should not use them. Could you try using your containers names instead of the docker networks IPs?
----- Edited ----
Could you verify your ca-server configuration file and check that the tls is set to true?
You try a gRPC call in peer Server where peer server is secured with it's TLS system. So if you fail to provide the valid TLS certificate, server tls handshake will be failed and you will not get success to establish the connection.
Please check that your network config file is properly develop, also check that you are using the same TLS certificate that is used to run the peer server and your TLS certificate path is correct.
I am on Ubuntu 19.10, installed all the pre-requisites and have downloaded the fabric-samples git repository.
I am following the tutorial on this link
I ran the first-network example and it worked fine. Now, when I am trying to run the fabcar example by running the command ./startFabric.sh javascript, I am getting the following error:
...
2020-02-02 23:51:14.534 UTC [msp.identity] Sign -> DEBU 02c Sign: digest: 8A36B905991D6B72A6F487E93C79D468A35F402D6EB4F51E3323152A03A5B64E
2020-02-02 23:53:04.531 UTC [grpc] infof -> DEBU 02d Client received GoAway with http2.ErrCodeEnhanceYourCalm.
2020-02-02 23:53:04.531 UTC [grpc] HandleSubConnStateChange -> DEBU 02e pickfirstBalancer: HandleSubConnStateChange: 0xc0003e1620, CONNECTING
2020-02-02 23:53:04.531 UTC [grpc] infof -> DEBU 02f transport: loopyWriter.run returning. connection error: desc = "transport is closing"
Error: failed to endorse chaincode install: rpc error: code = Unavailable desc = transport is closing
It looks like the error is generated when it executed:
docker exec -e CORE_PEER_LOCALMSPID=Org2MSP -e CORE_PEER_ADDRESS=peer0.org2.example.com:9051 -e CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp -e CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt cli peer --tls=true --cafile=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem --orderer=orderer.example.com:7050 lifecycle chaincode install fabcar.tar.gz
I assume I aam using the latest version of hyperledger-fabric v2.0.0, since I am in the master branch of the fabric-samples repository. What am I doing wrong?
I had/have the same issue. What worked in my case was what I have described in my own question here - Hyperledger Fabric 2.0 byfn.sh error installing chaincode
Basically, even though there is an error (for some reason I do not know), the chaincode installation process is alive in the background and the chaincode does get installed.
I saw this behavior and put in a sleep statement for 10 minutes (600 s). I still do not know why this behavior is there (hence my question) but I have a workaround for now.
You need to open ports in the firewall.
in ubuntu I fix it using :
$ sudo ufw allow 4422/tcp
repeat for each docker container port,
You can view ports via :
$ docker ps
Have you stopped the first-network at first by using ./byfn.sh down before you jump into fabcar ?
Can I see some logs like docker ps -a and docker logs peer0.org1.example.com?
Also the HLF has recommended to use test-network as a replacement for first-network which is deprecated by now.
BTW, I would use the release branch other than master. Afterall the master branch is always under developing.
I just up the hyperledger docker container. I use TLS enabled orderer and peers. I created the channel using the command in cli bash(for peer0)
peer channel create -o orderer0.Myname.com:7050 -c Mynamechannel -f /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/Myname.com/orderers/orderer0.Myname.com/msp/tlscacerts/tlsca.Myname.com-cert.pem
It runs successfully. Then I try to join the channel using the command
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.Myname.com/users/Admin#org1.Myname.com/msp
export CORE_PEER_ADDRESS=peer0.org1.Myname.com:7051
export CORE_PEER_LOCALMSPID="Org1Myname"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.Myname.com/peers/peer0.org1.Myname.com/tls/ca.crt
peer channel join -b Mynamechannel.block
But got the errors some thing like
2019-02-07 05:53:15.047 UTC [msp/identity] Sign -> DEBU 006 Sign: digest: 143E4E155F1757BB9987562A28A4901B61615989BDB7B6ACD804FF60B2A15F0A
2019-02-07 05:53:15.047 UTC [grpc] Printf -> DEBU 007 transport: http2Client.notifyError got notified that the client transport was broken read tcp 192.168.64.19:60288->192.168.64.18:7051: read: connection reset by peer.
2019-02-07 05:53:15.048 UTC [grpc] Printf -> DEBU 008 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-02-07 05:53:15.049 UTC [grpc] Printf -> DEBU 009 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-02-07 05:53:15.050 UTC [grpc] Printf -> DEBU 00a transport: http2Client.notifyError got notified that the client transport was broken read tcp 192.168.64.19:60294->192.168.64.18:7051: read: connection reset by peer.
Error: proposal failed (err: rpc error: code = Unavailable desc = transport: write tcp 192.168.64.19:60288->192.168.64.18:7051: use of closed network connection)
And sometimes get an another error that
019-02-07 07:06:38.322 UTC [msp/identity] Sign -> DEBU 005 Sign: digest: D43291FFCD0DE17F5CC33A7DBBB47D043FE83C91EA8514EDCED6AC1D31C0A061
2019-02-07 07:06:38.322 UTC [grpc] Printf -> DEBU 006 transport: http2Client.notifyError got notified that the client transport was broken write tcp 192.168.80.19:56288->192.168.80.18:7051: write: connection reset by peer.
Error: proposal failed (err: rpc error: code = Unavailable desc = transport: write tcp 192.168.80.19:56288->192.168.80.18:7051: write: connection reset by peer)
Thanks in advance.
Fabric : 1.1.0
Os: Ubuntu 16.04
I am trying to create a channel in the deployed hyperledger fabric.
using command
peer channel create -o orderer0.orgorderer1:7050 -c mychannel -f ./channel-artifacts/channel.tx
but i am getting error
2018-01-18 09:59:05.382 UTC [grpc] Printf -> DEBU 011 transport: http2Client.notifyError got notified that the client transport was broken read tcp 10.244.1.8:47112->10.96.99.75:7050: read: connection reset by peer.
2018-01-18 09:59:05.383 UTC [grpc] Printf -> DEBU 012 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
Error: rpc error: code = Internal desc = transport is closing
2018-01-18 09:59:05.383 UTC [grpc] Printf -> DEBU 013 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp: operation was canceled"; Reconnecting to {orderer0.orgorderer1:7050 <nil>}
2018-01-18 09:59:05.383 UTC [grpc] Printf -> DEBU 014 grpc: addrConn.transportMonitor exits due to: grpc: the connection is closing
More info
my hyperledger fabric is deployed on kubernetes. using link
And is was working fine
now i have used custom cryptographic material for the MSP
and redeployed.
And getting the above error
all the pods in the kubernestes are up and running.