Re: Generate TLS certificates using CA and not cryptogen #fabric #fabric-ca #fabricca


Jean-Gaël Dominé <jgdomine@...>
 

Hi SteveLiuu,

I'll answer here as it could also help other people struggling with the same problem.

So I finally progressed on the orderer<->peer communication that was raising TLS handshake errors:

Orderer logs:

2019-09-26 11:38:26.715 UTC [core.comm] ServerHandshake -> ERRO 00f TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.50.129.2:46848

 

2019-09-26 11:38:26.715 UTC [grpc] handleRawConn -> DEBU 010 grpc: Server.Serve failed to complete security handshake from "10.50.129.2:46848": remote error: tls: bad certificate
Peer logs:
2019-09-26 11:47:26.124 UTC [grpc] createTransport -> DEBU f93 grpc: addrConn.createTransport failed to connect to {orderer-miles-com:7050 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
My problem was that I didn't know how the orderer and the peers were verifying each other identity during the TLS in Fabric as they don't have the other's CA root certificate. Especially the peers only have their own certificates.
The light came from this post (the only one who eventually and really helped me :) ): https://stackoverflow.com/a/57553669/10378672

In fact, the root certificates are retrieved from the genesis block (I must have missed that explanation in the Fabric documentation). But though the CA, the /enroll calls I was doing did not put the generated TLS root certificates were in a separated folder from the msp one. But the genesis block creation command (configtxgen) uses only the files inside the msp...
So I ended up manually copying the TLS root certificates in the different msp folders (orderer and peers).
Unsurprisingly, the genesis block now contained more certificates than before...

It instantly solved the issue.

However, I have another issue now with the gossip communication. I have error messages after making the join call.

Here are the logs of peer1 of org1:
2019-09-27 13:53:33.542 UTC [gossip.comm] sendToEndpoint -> WARN 18a Failed obtaining connection for 10.50.133.30:7051, PKIid:8d8455016f555e26952048f7342aeb558d4fff9d7d57af4b3960e5eedcf63c10 reason: context deadline exceeded
2019-09-27 13:53:33.542 UTC [gossip.discovery] expireDeadMembers -> WARN 18b Entering [8d8455016f555e26952048f7342aeb558d4fff9d7d57af4b3960e5eedcf63c10]
2019-09-27 13:53:33.542 UTC [gossip.discovery] expireDeadMembers -> WARN 18c Closing connection to Endpoint: peer2-org1-miles-com:7051, InternalEndpoint: 10.50.133.30:7051, PKI-ID: 8d8455016f555e26952048f7342aeb558d4fff9d7d57af4b3960e5eedcf63c10, Metadata:
2019-09-27 13:53:33.542 UTC [gossip.discovery] expireDeadMembers -> WARN 18d Exiting
2019-09-27 13:53:33.791 UTC [core.comm] ServerHandshake -> ERRO 18e TLS handshake failed with error remote error: tls: bad certificate {"server": "PeerServer", "remote address": "10.50.133.30:58644"}
2019-09-27 13:53:34.261 UTC [grpc] createTransport -> DEBU 191 grpc: addrConn.createTransport failed to connect to {10.50.133.30:7051 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: cannot validate certificate for 10.50.133.30 because it doesn't contain any IP SANs". Reconnecting...
10.50.133.30 is the IP of the peer2 of org1.

also this:
2019-09-30 12:46:47.717 UTC [deliveryClient] try -> WARN 0bb Got error: rpc error: code = Canceled desc = context canceled , at 1 attempt. Retrying in 1s
2019-09-30 12:46:47.717 UTC [blocksProvider] DeliverBlocks -> WARN 0bc [mychannel] Receive error: client is closing
2019-09-30 12:47:58.716 UTC [gossip.comm] func1 -> WARN 06d peer0-afkl-miles-com:7051, PKIid:7323baf5d65181d17116dddccbd7794093f43047195d5c73baef6da2bc3b2274 isn't responsive: EOF
2019-09-30 12:47:58.716 UTC [gossip.discovery] expireDeadMembers -> WARN 06e Entering [7323baf5d65181d17116dddccbd7794093f43047195d5c73baef6da2bc3b2274]
2019-09-30 12:47:58.716 UTC [gossip.discovery] expireDeadMembers -> WARN 06f Closing connection to Endpoint: peer0-afkl-miles-com:7051, InternalEndpoint: , PKI-ID: 7323baf5d65181d17116dddccbd7794093f43047195d5c73baef6da2bc3b2274, Metadata:
2019-09-30 12:47:58.716 UTC [gossip.discovery] expireDeadMembers -> WARN 070 Exiting
The network still seems to work fine but I don't know it is not reassuring. I have no idea if the Warnings are linked to the use of CA generated certificates and why I get TLS handshake errors between the peers now.

In a nutshell, this topic is not an easy one...

Hope it'll help you solve your own problem

Regards,

JG


 

Join fabric@lists.hyperledger.org to automatically receive all group messages.