The official hyperledger fabric v1.0.0 gives a simple demo by using docker. Here is the link.
What i am doing is to avoid docker and directly run them on the machine. Thanks to the answer from my previous question, I have successfully launch 1 solo orderer and two peers, each from one org.
This is part of orderer's config orderer.yaml and i am sure the tls-related path is set correctly.
General:
# Ledger Type: The ledger type to provide to the orderer.
# Two non-production ledger types are provided for test purposes only:
# - ram: An in-memory ledger whose contents are lost on restart.
# - json: A simple file ledger that writes blocks to disk in JSON format.
# Only one production ledger type is provided:
# - file: A production file-based ledger.
LedgerType: file
# Listen address: The IP on which to bind to listen.
ListenAddress: 127.0.0.1
# Listen port: The port on which to bind to listen.
ListenPort: 7040
# TLS: TLS settings for the GRPC server.
TLS:
Enabled: true
PrivateKey: ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key
Certificate: ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
RootCAs:
- ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
ClientAuthEnabled: false
ClientRootCAs:
# Log Level: The level at which to log. This accepts logging specifications
# per: fabric/docs/Setup/logging-control.md
LogLevel: debug
However, when I want to create the channel using command as follows:
export FABRIC_CFG_PATH=$PWD
export CHANNEL_NAME=my_channel
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
export CORE_PEER_ADDRESS=127.0.0.1:7001
peer channel create -o 127.0.0.1:7040 -c $CHANNEL_NAME -f channel-artifacts/channel.tx --tls true --cafile $ORDERER_CA >&log.txt
The log reports the error saying as follows:
Error: Error connecting due to rpc error: code = Internal desc = connection error: desc = "transport: authentication handshake failed: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs"
I think it is related to a tls configuration problem. I am not very familiar about it. Can any one help me to solve this simple problem and give me a simple explanation?
The error is caused due to hostname verification failing at the TLS layer.
The TLS certificates don't have IP Subject Alternative Names (SANs) - they only have DNS-based SANs.
The easiest thing to do is to just add host entries into your /etc/hosts file (assuming you are running on Linux or macOS). Assuming that you are running everything on the same machine, then adding the following line to your /etc/hosts should resolve your issue:
127.0.0.1 localhost orderer peer0.org1.example.com peer0.org2.example.com
And then make sure to use the hostnames rather than IP addresses:
export FABRIC_CFG_PATH=$PWD
export CHANNEL_NAME=my_channel
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7001
peer channel create -o orderer:7040 -c $CHANNEL_NAME -f channel-artifacts/channel.tx --tls true --cafile $ORDERER_CA >&log.txt
Related
I installed the chaincode on the network but when I'm trying to instantiate,
I'm getting :
"Error: error getting broadcast client: orderer client failed to connect to 127.0.0.1:7050: failed to create new connection: context deadline exceeded"
Also, I tried to add TLS but then I get the following error:
Error: error getting broadcast client: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file:
And, the orderer logs are:
My orderer TLS is enabled now:
I'll be glad if someone can help or guide me atleast, I'm new to HyperledgerFabric.Thank you.
Adapt to your case:
peer chaincode instantiate -n mychannel -v 1.0 -C petshop -c '{"Args":[""]}' -o 127.0.0.1:7050 --tls --cafile /path/to/orderer/tls/ca.pem
Check the "orderer" logs precisely at the time you are instantiating the chaincode (first without TLS and then with TLS). You can see that time from your command-line when you are running that command.
Update your question with that section of orderer logs.
Also, if I need to guess from your current orderer nodes, you might not have enabled TLS for the orderer container.
How can we implement TLS in first-network?i have tried by adding the below section in peers.What is the need to configure peers by Tls?
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
I am working on multi organisation network setup using first network of fabric samples.one of the organisation say org1 has created a channel by passing tls certs of orderer ,the other organisation org2 has to fetch the channel created by org1 and join the peers into the channel.when i do fetch action using peer channel fetch by passing tls certs of orderer ,i got the error like
peer channel fetch config-o orderer.example.com:7050 -c channelone1 -f --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
connection error: desc = "transport: Error while dialing dial tcp 98.124.199.121:7050: connect: connection refused". Reconnecting...
and in orderer logs ,i got error as :
TLS handshake failed with error tls: client didn't provide a certificate {"server": "Orderer", "remote address": "172.24.0.4:49608"}
Created the channel using:
peer channel create -o orderer.example.com:7050 -c channelone1 -f ./channel-artifacts/channel-one.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
Output is: Received block is 0
By default the first-network will start with TLS enabled.
The four environment variables you refer to are included in the file base/peer-base.yaml the the peer-base file is "included" by use of the extends: and file: base/docker-compose-base.yaml
I am trying to run a sample Hyperledger Fabric network without using docker and trying to create channel by following this tutorial.
orderer is running normally in terminal window 1 and is ready to serve requests as you can see in image: here
peer is also running normally in terminal window 2 :
here
Now, when I try to create a channel and run below command from terminal window 3 :
./peer channel create -o localhost:7050 -c mychannel
-f ./channel-artifacts/channel.tx
--tls true
--cafile
./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
It gives following error :
Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded
orderer.example.com is likely not a known host on your local machine. You'll need to create an entry in your /etc/hosts file which maps orderer.example.com to either the IP address of the host or the loopback address 127.0.0.1.
For example:
127.0.0.1 localhost orderer.example.com
I have a multi-org network fabric network up and running from different hosts.
The docker containers for the peers have TLS enabled. The build configuration of the peer:
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
While creating and joining the channel I followed byfn docs and did not supply the TLS cert/file of the peer while joining the channel. All the peers were able to join the channel.
However, when I tried to fetch the newest block using peer channel fetch newest -o orderer.example.com:7050 -c examplechannel, I got the error:
Serve failed to complete security handshake from "ip:43402": tls: first record does not look like a TLS handshake
Further, I referred this doc on TLS and this doc
on passing TLS certs of the peer with the above fetch command:
peer channel fetch newest -o orderer.example.com:7050 -c examplechannel --tls --certfile $CORE_PEER_TLS_CERT_FILE --keyfile $CORE_PEER_TLS_KEY_FILE --cafile $CORE_PEER_TLS_ROOTCERT_FILE
This gave a new error:
grpc: Server.Serve failed to complete security handshake from "ip:43496": remote error: tls: bad certificate
Debugging TLS issues doc states that this happens when the server does not trust the client certificate. So in my case, I infer that the orderer is not trusting the certificate that the peer is passing.
So
Does it mean that I was supposed to pass TLS_CERT, TLS_KEY and TLS_ROOT cert while proposing a channel join from this peer?
If #1 is true, can I pass these certificates without bringing down the network and rejoining the channel with certs?
While creating the channel, it uses orderer's ca-cert. Also, when submitting anchor peer transaction, it uses orderer's ca cert? So am I supposed to use Orderer's ca cert for peer fetch command as well?
If #3 is true, then in a production environment, do we need to build up the peer containers such that it contains orderer's ca-cert?
There are multiple concepts baked into your questions. It's important to understand that there is a difference between using the peer to run a peer node--peer node start-- and using the peer as a CLI (e.g. peer channel fetch).
When the peer is running as a server, there's no need to pass in crypto material for the channels as the peer actually extracts the required TLS certificate information from the config block passed in the peer channel join ... command.
When the peer is running in CLI mode, you do need to provide the the TLS certificate information to connect to the various endpoints. When communicating with peers, this information is extracted from the peer config (either in core.yaml or from the corresponding CORE_ environment variables). When communicating with the orderer, there are specific command line flags for setting the TLS material.
Using Linux 16.04 and docker All the containers are running fine .Successfully installed the chaincode on core peer.
But At the time of chaincode instansiate
peer chaincode instantiate -o orderer.example.com:7050 -C $CHANNEL_NAME -n fabcar -l "golang" -v 1.0 -c '{"Args":[""]}' -P "OR ('Org1MSP.member','Org2MSP.member')"
Geeting error
`Error: could not send: rpc error: code = Unavailable desc = transport is closing`
Thanks in advance.
I was facing this issue because I enabled tls on the peer but not providing the tls and ca file to the orderer at the time of chaincode instantiate.
This may work:
Bring down the network
Disable TLS in below files by commenting environment variables listed below.
base/docker-compose-base.yaml
base/peer-base.yaml
docker-compose-cli.yaml:
docker-compose-e2e-template.yam
ENV:
CORE_PEER_TLS_ENABLED
CORE_PEER_TLS_CERT_FILE
CORE_PEER_TLS_KEY_FILE
CORE_PEER_TLS_ROOTCERT_FILE
Bring up the network
Another way is to pass TLS certificate as an argument to peer fetch channel command.