Failed to run Node.js SDK on v2.2.2 network upgraded from v1.2.0 #fabric-sdk-node #tls #openssl

Yoojin Chang

I think I don't need to change any msp or tls files unless they are expired when upgrading the network.
How can I use the TLS CA certificate I was using on v1.2.0 network after upgrading to v2.2.2?

Here's what I've tested and run:
1) I created v1.2.0 network and upgraded it to v2.2.2
I successfully redeployed chaincodes and ran(invoke/query) chaincodes by CLI.
But I failed to run chaincodes by Node.js SDK.
The log is as follows.
2021-07-15T04:38:15.011Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name:, url:grpcs://, connected:false, connectAttempted:true
2021-07-15T04:38:15.012Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server url:grpcs:// timeout:3000
2021-07-15T04:38:15.013Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser due to Error: Failed to connect before the deadline on Endorser- name:, url:grpcs://, connected:false, connectAttempted:true

2) So I created another v1.4.1 network and then upgraded it to v2.2.2
In this case, I successfully ran chaincodes by CLI and also Node.js SDK.

3) I thought this was a problem with tls communication.
So I set TLS=false on network which was upgraded from v1.2.0 and then retried to invoke/query chaincodes by Node.js SDK.
It worked.

4) I changed packages of SDK from fabric-network@2.1.0 to fabric-client@1.4.11 and retried, and then I got more detailed logs.
E0714 12:51:34.945769000 4362497472]    Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.
D0714 12:51:34.945789000 4362497472]        Security handshake failed: {"created":"@1626234694.945777000","description":"Handshake failed","file":"../deps/grpc/src/core/lib/security/transport/","file_line":291,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0714 12:51:34.945795000 4362497472]                 TCP 0x13b0e9480 shutdown why={"created":"@1626234694.945777000","description":"Handshake failed","file":"../deps/grpc/src/core/lib/security/transport/","file_line":291,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0714 12:51:34.945857000 4362497472]                Connect failed: {"created":"@1626234694.945777000","description":"Handshake failed","file":"../deps/grpc/src/core/lib/security/transport/","file_line":291,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}

5) I compared the TLS CA certificate of v1.2.0 with the TLS CA certificate of v1.4.1.
As a result, the "Extended Key Usage" was different as follows.
v1.2.0 : Any Extended Key Usage
v1.4.1 : TLS Web Client Authentication, TLS Web Server Authentication

6) I searched for this issue and found that the version of openssl included in Node.js is related to the "Extended Key Usage" of the certificate.
=> So I need exact Extended Key Usage in TLS CA certificate when using SDK with Node.js 10.

Join to automatically receive all group messages.