Re: #fabric-ca #fabric-ca

Nick Frunza
 

Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik

On Thu, Mar 28, 2019 at 8:33 AM Nick Frunza <nfrunza@...> wrote:
Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.

Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik


On Thu, Mar 28, 2019 at 3:23 AM Vishal <vishal3152@...> wrote:
Hi Nick,

The error message clearly says that the server (peer) did not receive the correct client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly
  • CORE_PEER_TLS_CLIENTROOTCAS_FILES =  CA certificate
  • CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
  • CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.

You have to assign these certificates to client instance as well. I prefer to do it this way. 

 
I would have used curl to verify 2way tls authentication configuration, if it was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com


Furthermore, you may check out this blog, could be of some help.

Kind regards
Vishal Yadav



On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza <nfrunza@...> wrote:
Hello,

Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:

2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
    at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.

E0327 16:57:10.541763890    7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.


thank you

Nik



--
Nik Frunza



--
Nik Frunza

Join fabric@lists.hyperledger.org to automatically receive all group messages.