Develop Reference

Fabric register user Error: self signed certificate

I am running the fabric ca server using the docker container and using the fabric node for enrolling and register the users. when, I enroll the admin through fabric node its works fine, its create the wallet folder. When i am trying to register the user its throw the error saying
Failed to register user : Error: Calling register endpoint failed with
error [Error: self signed certificate]
Please any suggestion would be appreciated.

The register command should look like:
fabric-ca-client register -d --id.name $ORG_ADMIN --id.secret $ORG_ADMIN_PASSWORD --id.type client --id.affiliation $ORG_AFFILIATION
The fabric-ca-client-config.yaml inside your FABRIC_CA_CLIENT_HOME should look like:
url: https://ca.org0.domain.tld:7054
mspdir: msp
tls:
certfiles: ca-tls.pem
csr:
names:
- C: US
ST: New York
L: New York
O: Org0
OU: Department0
caname: org0-ca
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
Please check url and tls.certfiles (if your CA is using TLS).
The msp directory must contain the CA administrator's credentials after enrolling it in the previous step.

MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority Hyperledger Fabric

I first generate crypto materials using cryptogen and then start, for example, org1 CA server like so:
fabric-ca-server start --ca.certfile $(ls crypto-config/peerOrganizations/org1/ca/*.pem) --ca.keyfile $(ls crypto-config/peerOrganizations/org1/ca/*_sk) -d -b admin:adminpw --port 7054
From NodeJS SDK I can enroll admin and register (and enroll) new users. But when I try to access Fabric network with these new user credentials or even admin credentials, I get the below error on SDK console:
root#peer0:/var/hyperledger/api# ts-node src/invoke.ts
Wallet path: /var/hyperledger/api/wallet
2019-10-08T13:32:17.819Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.826Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.833Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.841Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
Failed to submit transaction: Error: Endorsement has failed
peer log says:
MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority.
I'm using exactly the same credentials in peer CLI container and SDK. I can do all chaincode operations from CLI, but why peers don't accept connection from SDK?
Does FABRIC_CA_SERVER_CA_NAME has anything to do with it? Does cryptogen also create a FABRIC_CA_SERVER_CA_NAME for the CA server? If so, are peer credentials associated with the CA name? In NodeJS SDK, I tried caName=ca-org1 as well as caName=ca.org1, but still getting same error.

I ran into this (or something very simalar) and managed to resolve it. The issue for me was incorrect paths to my .pem and private key files in the fabric-ca-server start command.
If the paths are incorrect, when the CA container starts it will be unable to locate your files (generated by cryptogen) so will generate its own.
The enroll and register scripts generate identities based on your cryptogen material, which is correct, but they're not the certs your CA has decided to generate for you.
To check if this is what's happening, have a look at the CA logs:
docker logs <your ca container>
Near the top where the server starts up, look for messages referring to missing keys, or messages about generating files.
Hope that helps.

"no default signer setup" error when invoking transaction using Idemix credential

I'm trying to setup Idemix based on the following documentation that I found:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemix.html
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#getting-idemix-cri-certificate-revocation-information
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemixgen.html
But when invoking a transaction, i received the error below:
$ docker exec -e "CORE_PEER_LOCALMSPTYPE=idemix" -e "CORE_PEER_LOCALMSPID=Org1IdemixMSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/User1#org1.example.com" cli peer chaincode query -C channel1 -n chaincode1 -c '{"Args":["query","a"]}'
Error: error getting default signer: error obtaining the default signing identity: no default signer setup
Steps that I took:
Register a user User1#org1.example.com to fabric CA fabric-ca-client register --id.name User1#org1.example.com --id.secret mysecret --id.type client --id.affiliation org1 --id.attrs role=2 -u http://localhost:7054
Enroll the user and created an idemix identity fabric-ca-client enroll --enrollment.type idemix -u http://User1#org1.example.com:mysecret#localhost:7054
Rename $USER1_DIR/msp/IssuerRevocationPublicKey to $USER1_DIR/msp/RevocationPublicKey. During transaction invocation, the name RevocationPublicKey is expected, not IssuerRevocationPublicKey
Prepare the idemix msp. I copied IssuerPublicKey and IssuerRevocationPublicKey of the CA to the msp folder. I need to rename IssuerRevocationPublicKey to RevocationPublicKey else configtxgen will complain
In configtx.yaml, add an Idemix MSP
- &Org1Idemix
Name: Org1IdemixMSP
# ID to load the MSP definition as
ID: Org1IdemixMSP
msptype: idemix
MSPDir: crypto-config/peerOrganizations/org1idemix.example.com/
Policies: &Org1IdemixMSPPolicies
Readers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1IdemixMSP.admin')"
Create genesis block, channel block, start network etc2 (as usual)
Try to query transaction and the aforementioned error appears
I did some troubleshooting and based on idemixgen documentation, I found out that I need to put a default signer into the idemix msp i.e. in the user folder. So I placed User1#org1.example.com's SignerConfig file into the user folder and rerun configtxgen. I received the following error:
Error loading MSP configuration for org: Org1IdemixMSP: unexpected EOF
Next I did some comparing with the SignerConfig generated by idemixgen and SignerConfig of User1#org1.example.com. The one generated by idemixgen cannot be opened while the other one is a .json file (shown below), so the format is different. Running configtxgen Using the SignerConfig generated by idemixgen is successful. I want to try to invoke transactions by identities generated by idemixgen but there is no way to generate an identity except for the default signer.
{
"Cred": "CkQKIK/7Slvg7laNMv8n7urCKpRN4gTZJZ7xQUyqPQ0GskWFEiCq/aRBmXlQAnSeJLXViGEHLRoztSCoHU6PDXaft+STexJECiB1dosl0QwT5dR/iNwfj0UvWZLph5U6fTMUVjYXE3W/UhIg6U+q6S9xMZhL7SHYe/v//Vhsw7X7N+93Ha4qQiWu0OIaIKcFZamTWwD5VQppZDEdxv5nr4DZAOn/S0r3gchLFG66IiD7kc8IZFRji8ub7yS5ueK8ZcLm5o+WR9a7wAx7o6fKQCogieDBP6ZS9S2R/JDVaLcAcNbtGlnF2fRS37GyoZmxko4qIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKiArm8Pnrt+hrBAk1PD9trARpE6XVbdfXN+27uSe9r8uxCogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=",
"Sk": "LwrgRX48aewbqKWrvNjo5VFfNSDIJAvdaR4brzOsnWM=",
"organizational_unit_identifier": "org1",
"enrollment_id": "User1#org1.example.com",
"credential_revocation_information": "CAESiAEKIP4MM1C0yWwgKFYPV3wokTrOHFOaEr+EPNImFraJwJ77EiBOpmBXc4rAVNta4cY32BO5JN144ofQNYnSae00o35qKxogcCBG58VCo7N2dw11Ek4+Ue/LJHWNYVhI6Qm0gb7cJ/8iIAVU47zTiMKQQu6mSSl+sp+LTL6AghqYs+ASgRFKrQSbGmgwZgIxAJRyRpR+k3SaAVRm4GM3l+zBU6V/7g73C9RQIU9kPef9XqVl0Gb+hQqrgd1HsTQ5GgIxANb6XNB+CrrQgwbt6msa0SG+aQKpSl48EeP/V7beUkshNubudBS+WjS+PRbf5aW0Nw=="
}
Repo here: https://github.com/aldredb/idemix-sample

I went deep with the code...
if you interested, you can find the GetIdemixMspConfig function in msp/configbuilder.go at fabric 1.4 release branch.
in this function, we can see it will attempt loading a signconf with proto type.
However, we enroll the msp with ca client cli and which returns us a json...
I searched some topic as Unable to unmarshal json to protobuf struct field
In my point of view, that proto Unmarshal will fail with json format.

Error while submitting transactions in Hyperledger Fabric

I am running Hyperledger Fabric with 4 peers of 1 organization, 1 orderer and 1 CA. All 4 peers are on different VMs, orderer and CA are running on different VMs. Chaincode is up and running on all the VMs. I want to setup client on a different VM, which can send transaction requests to the network. Using this code, I have changed the address of VM to my peer0.
I run the following 2 files first:
node enrollAdmin.js
node registerUser.js
I am getting the following error on running the last command:
Store path:/root/gopath/src/github.com/hyperledger/fabric-samples/fabcar/hfc-key-store
Successfully loaded admin from persistence
Failed to register: Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authentication failure"}]]
I checked the logs of CA container on the . Container log is as follows:
2019/04/16 17:34:55 [DEBUG] Received request for /api/v1/register
2019/04/16 17:34:55 [DEBUG] Caller is using a x509 certificate
2019/04/16 17:34:55 [DEBUG] Failed to verify token based on new authentication header requirements: %!s(<nil>)
2019/04/16 17:34:55 [INFO] 192.168.1.22:44826 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509:
certificate signed by unknown authority (possibly because of
"x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")"
I have copied the same generated crypto material on all the VMs, including the client. How to resolve this error?
UPDATE: When I place the client code on one of the VMs running peer containers, it works fine. Transactions are executed successfully.

Error trying to ping. Error: 2 UNKNOWN: access denied:

I have successfully installed and started the business network using composer.I have installed and started using these commands:
composer network install --card PeerAdmin#hlfv1 --archiveFile procurement-phase#0.0.18.bna
composer network start --networkName procurement-phase --networkVersion 0.0.18 --networkAdmin admin --networkAdminEnrollSecret adminpw --card PeerAdmin#hlfv1 --file networkadmin.card
I have also imported the card created after the start of business network using :
composer card import --file networkadmin.card
Now I am trying to ping the network using the card:
composer network ping --card admin#procurement-phase
but I get
Error: Error trying to ping. Error: 2 UNKNOWN: access denied: channel [composerchannel] creator org [Org1MSP]
Command failed
Expected result:
The connection to the network was successfully tested: procurement-phase
version: 0.15.0-20171108090428
participant: org.hyperledger.composer.system.NetworkAdmin#admin
Command succeeded

Is the peer running properly? If you do something like: telnet localhost 7051 (If your peer would be in that ip and port) Do you get a connected message?
If it's another ip you should modify the connection.json file for the card.
You need to provide more information, explain the steps to took when bringing up the network, if it's the sample network...

It is because of the certificate errors.As I got the error in docker logs of certificate authority of org1 about the incorrect path to default ca.So i correctly specified path of the default ca folder in the volumes of ca in docker-compose.yaml .