Re: "bad certificate" #fabric-ca #fabricca #fabric-questions


Marco Ippolito
 

Enabling TSL through command-line gives this output:

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw --tls.enabled
2019/09/26 14:02:09 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 14:02:09 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 14:02:09 [INFO] Server Version: 1.4.4
2019/09/26 14:02:09 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 14:02:09 [INFO] The CA key and certificate already exist
2019/09/26 14:02:09 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 14:02:09 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'postgres'
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'template1'
2019/09/26 14:02:09 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 14:02:09 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 14:02:09 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 14:02:09 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 14:02:09 [INFO] encoded CSR
2019/09/26 14:02:09 [INFO] signed certificate with serial number 92902964373330420996414514456924886556455364958
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xe5d931]

goroutine 1 [running]:
github.com/hyperledger/fabric-ca/lib.(*CertDBAccessor).checkDB(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/certdbaccessor.go:68
github.com/hyperledger/fabric-ca/lib.(*CertDBAccessor).InsertCertificate(0x0, 0xc0002449c0, 0x2f, 0xc000244a20, 0x28, 0x0, 0x0, 0x1101b40, 0x4, 0x0, ...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/certdbaccessor.go:84 +0x91
github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/signer/local.(*Signer).Sign(0xc00026fc80, 0x0, 0x0, 0x0, 0xc0003f0800, 0x1f9, 0x0, 0x110158b, 0x3, 0x0, ...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/signer/local/local.go:408 +0xcbe
github.com/hyperledger/fabric-ca/lib.(*Server).autoGenerateTLSCertificateKey(0xc000110160, 0x29, 0xc0004f9c00)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:878 +0x43e
github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe(0xc000110160, 0x1103e0c, 0x6)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:634 +0xde8
github.com/hyperledger/fabric-ca/lib.(*Server).Start(0xc000110160, 0xc000110160, 0x0)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:199 +0x377
main.(*ServerCmd).init.func3(0xc00015e480, 0xc000298840, 0x0, 0x3, 0x0, 0x0)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 +0xd5
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc00015e480, 0xc000298780, 0x3, 0x3, 0xc00015e480, 0xc000298780)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x3e6
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc00015e000, 0x5, 0xc00024bf01, 0xc0000cc140)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x2be
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692
main.(*ServerCmd).Execute(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69
main.RunMain(0xc0000cc000, 0x5, 0x5, 0xc00024bf88, 0xc0000a6058)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0xb5
main.main()
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45

postgresql-11-fabmnet.log :

2019-09-26 14:02:09.669 CEST [6267] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 14:02:09.672 CEST [6270] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 14:02:09.675 CEST [6271] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate

The very first error message says: 2019/09/26 14:02:09 [WARNING] Failed to connect to database 'fabmnetdb'


I then modified the postgresql.conf file in order to point to the .pem file created during the fabric-ca-start execution. The problem is that there is no correspondent .key file  :

putting in /etc/postgresql/11/fabmnet/postgresql.conf :

ssl_cert_file = '/home/marco/fabric/fabric-ca/ca-cert.pem'

but without any .key file because the fabric-ca-server start did create ca-cert.pem but not the corresponding .key file

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b 
admin:adminpw
2019/09/26 14:23:12 [INFO] Configuration file location: /home/marco
/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 14:23:12 [INFO] Starting server in home directory: 
/home/marco/fabric/fabric-ca
2019/09/26 14:23:12 [INFO] Server Version: 1.4.4
2019/09/26 14:23:12 [INFO] Server Levels: &{Identity:2 Affiliation:1 
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 14:23:12 [INFO] The CA key and certificate already exist
2019/09/26 14:23:12 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 14:23:12 [INFO] The certificate is at: /home/marco/fabric
/fabric-ca/ca-cert.pem
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'postgres'
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'template1'
2019/09/26 14:23:12 [ERROR] Error occurred initializing database: Failed
to connect to Postgres database. Postgres requires connecting to a 
specific database, the following databases were tried: [fabmnetdb 
postgres template1]. Please create one of these database before 
continuing
2019/09/26 14:23:12 [INFO] Home directory for default CA: /home/marco
/fabric/fabric-ca
2019/09/26 14:23:12 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 14:23:12 [INFO] Listening on http://0.0.0.0:7054

The corresponding postgresql-11-fabmnet-log file:

2019-09-26 14:15:05.203 CEST [1077] LOG:  received fast shutdown request
2019-09-26 14:15:05.206 CEST [1077] LOG:  aborting any active 
transactions
2019-09-26 14:15:05.213 CEST [1077] LOG:  background worker "logical 
replication launcher" (PID 1133) exited with exit code 1
2019-09-26 14:15:05.213 CEST [1126] LOG:  shutting down
2019-09-26 14:15:05.237 CEST [1077] LOG:  database system is shut down
2019-09-26 14:15:05.358 CEST [6705] FATAL:  could not access private key
file "server.key": No such file or directory
2019-09-26 14:15:05.358 CEST [6705] LOG:  database system is shut down

The question is: how to create the .key together with the .pem file during the fabri-ca-server start?


Il giorno gio 26 set 2019 alle ore 14:01 Nicholas Zanutim <nlzanutim@...> ha scritto:
I'm still not sure what step you are on or the command you're running but if you run

fabric-ca-server start -b admin:adminpw --tls.enabled 

then it should generate all of it for your with the flags. I still haven't tried Init first, configuring the
config file then running start. 

Em quinta-feira, 26 de setembro de 2019 07:58:53 BRT, Marco Ippolito <ippolito.marco@...> escreveu:


Hi Nicholas,

the fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

ldap:
  enabled: false


in /etc/postgresql/11/fabmnet/postgresql.conf  :

ssl = on
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

What am I doing wrongly?

Marco


Il giorno gio 26 set 2019 alle ore 12:43 Marco Ippolito <ippolito.marco@...> ha scritto:
Hi Nicholas,
thanks for answering.

I'm trying to follow step-by-step the instructions described here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-server



Il giorno gio 26 set 2019 alle ore 12:30 Nicholas Leonardi <nlzanutim@...> ha scritto:
Please give us more details on what you're trying to do. Are you just starting the server and it gives the error? Are you trying to enroll/register with fabric-ca-client?

On Sep 26, 2019, at 07:17, Marco Ippolito <ippolito.marco@...> wrote:
Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco

Join fabric@lists.hyperledger.org to automatically receive all group messages.