I'm using ubuntu 16.04. When i tried to customize the network configuration according my needs, i'm facing that error:
2018-03-20 22:54:33.547 UTC [cauthdsl] deduplicate -> ERRO 52c33 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.blockchain-clone.iba"))
here is configtx.yaml content and cryptoconfig.yaml is here
What should i do to fix it?
Related
I'm trying to create a channel for my hyperledger fabric network but I've been stuck for over two weeks with this error :
[policies] SignatureSetToValidIdentities -> WARN 00d invalid identity: certificate subject=CN=Admin#productionlaborg.supplychain.com,OU=admin,L=San Francisco,ST=California,C=US serialnumber=332150209750411695579251324251304242011 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.productionlaborg.supplychain.com")"
know that I export the correct path of the "MSP folder" of the admin "Admin#productionlaborg" how created the channel.
Please I need Help
In the Hyperledger Fabric official website, it states to use the fabric-ca-client reenroll if a certificate is about to expire. I tried to reenoll the certificates but an x.509 error occurred:
[grpc] createTransport -> DEBU bab grpc: addrConn.createTransport failed to connect to {orderer:7050 0 }. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
I have used the same CA to reenroll the certificate, I don't know why "unknown authority" error shown.
It would be grateful if anyone can give me a full steps for replacing the admin certificate for the Hyperledger Fabric.
You can use akc-dcm-cli. It support renew user of Hyperledger Fabric by running command:
dcm certificate renew --parent-cert=../data/intermediate-ca/signcerts/ica-cert.pem
--parent-private-key=../data/intermediate-ca/keystore/ica-key.pem
--old-cert=../data/peer/output/peer-cert.pem
--old-private-key=../data/peer/keystore/peer-key.pem
--output=../data/peer/output/renew-peer-cert.pem
--days=365
parent-cert and parent-private-key are key-pair of CA
old-cert and old-private-key are key-pair of expired user
output is the path of new cert
After renewing the cert, you replace the expired cert of the user with the new cert. Keep current private key of user' cert
I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.
I have created Two Node. Node1 has Peer0.org1, CA and Orderer Service and Node2 have Peer0.org2 and Peer0.org3.
I can invoke and execute a query using fabric-client from peer0.org1 but When I tried same from peer0.org2 and peer0.org3 it's not working using API and it throws MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority error. However it's working from the CLI
Can anyone help me to resolve this?
Please check the endorsement policy on the chaincode. Most of the times this error is because your org2 and org3 are not part of endorsement policy.
[client-utils.js]: sendPeersProposal - Promise is rejected: Error:
Failed to deserialize creator identity, err The supplied identity is
not valid, Verify() returned x509: certificate signed by unknown
authority (possibly because of "x509: ECDSA verification failure"
while trying to verify candidate authority certificate
"ca.org1.example.com")
This is clearly related to wrong certificates. Cross check the certificates, if possible generate certificates for CA again using cryptogen and accordingly place the certificates in peers.