Re: #fabric-ca #fabric-ca

Nick Frunza
 

Thank you for the hint

Nik

On Thu, Mar 28, 2019 at 4:22 PM Nye Liu <nye@...> wrote:

With one caveat, if you generate the ca with openssl, you need to wait 5 minutes before enroll anyone, the CA-server backdates enrolled certs by 5 minutes

https://jira.hyperledger.org/browse/FABC-832

On 3/28/2019 11:29 AM, Vishal wrote:
Hi Nick,

Client certificates need not to be issued by fabric ca.
You can generate self signed CA + client certificate using open ssl.
Here is a nice explanation:

Below configuration ensure that the self signed CA cert & other certificates issued by this CA are trusted by the peer.
CORE_PEER_TLS_CLIENTROOTCAS_FILES =  Self signed CA certificate


On Thu 28 Mar, 2019, 4:34 PM Nick Frunza, <nfrunza@...> wrote:
Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik

On Thu, Mar 28, 2019 at 8:33 AM Nick Frunza <nfrunza@...> wrote:
Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.

Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik


On Thu, Mar 28, 2019 at 3:23 AM Vishal <vishal3152@...> wrote:
Hi Nick,

The error message clearly says that the server (peer) did not receive the correct client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly
  • CORE_PEER_TLS_CLIENTROOTCAS_FILES =  CA certificate
  • CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
  • CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.

You have to assign these certificates to client instance as well. I prefer to do it this way. 

 
I would have used curl to verify 2way tls authentication configuration, if it was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com


Furthermore, you may check out this blog, could be of some help.

Kind regards
Vishal Yadav



On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza <nfrunza@...> wrote:
Hello,

Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:

2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
    at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.

E0327 16:57:10.541763890    7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.


thank you

Nik



--
Nik Frunza



--
Nik Frunza



--
Nik Frunza

Join fabric@lists.hyperledger.org to automatically receive all group messages.