Re: Generate TLS certificates using CA and not cryptogen #fabric #fabric-ca #fabricca
Nye Liu <nye@...>
Some of my notes are here:
When you say "enable TLS" do you mean mutual TLS?
On 5/24/2019 5:23 AM, Jean-Gaël Dominé wrote:
I'm looking for some help to understand how to use the CA to generate the TLS certificates, private key, ... of my components (peers, orderer)
Indeed I'm currently working on moving from using cryptogen which is for development to the CA that is more for production from my understanding.
What I'm currently doing is having a CLI that uses fabric-ca-client to connect to the CA to register and enroll the different components. I also do that to get the TLS artifacts.
To do so my inspiration was here: https://github.com/aidtechnology/hgf-k8s-workshop/tree/master/prod_example.
Everything works fine (channel creation, channel join, ..., chaincode instantiation) until I try to enable TLS.
Then I get the following error:
The two IPs are the orderer's and the REST api's (inspired from balance-transfer sample)2019-05-24 08:40:29.232 UTC [grpc] newHTTP2Transport -> DEBU 17a grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"2019-05-24 08:42:28.023 UTC [grpc] newHTTP2Transport -> DEBU 17b grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: read tcp 10.50.131.94:7050->10.50.131.97:36244: read: connection reset by peer"
I managed to figure out that the problem comes from the TLS artifacts I get from the CA.
Indeed, for a test I kept generating all the normal artifacts (msp) using the CA but for to get the TLS artifacts I used cryptogen.
In this case everything works again so I assume the issue is around the way I call the CA for the TLS artifacts.
The only source to do it I found is this one:
So I ended up doing this:
fabric-ca-client enroll --enrollment.profile tls -m orderer-miles-com -u https://ord:OrdPW@$CA_URL -M ./crypto-config/ordererOrganizations/miles-com/orderer-miles-com/tls --tls.certfiles /etc/hyperledger/tls/ca-miles-com-cert.pem
It gives me a tls folder with some files inside 3 folders: keystore, signcerts and tlscacerts
It's worth noting that when using the fabric-ca-client command, it uses the default fabric-ca-client-config.yaml it creates on the fly. It may be the problem I don't know...
Does someone have any idea what I'm doing wrong?
Thank you in advance for you help