Re: Generate TLS certificates using CA and not cryptogen #fabric #fabric-ca #fabricca


Jean-Gaël Dominé <jgdomine@...>
 

It was explained in my post https://lists.hyperledger.org/g/fabric/message/6783 I think.

The problem comes from the fact that the common name of the certificates issued by the CA is the login you give on the enroll command. For example, my peer is name peer0-afkl and my enroll command looks like this (helm syntax with variables):
fabric-ca-client enroll --enrollment.profile tls -m {{ .name }}-{{ $root.Values.network.ordererOrganization.domain }} --csr.hosts {{ .subjectAlternativeName }} \
-u $PROTOCOL://{{ .login }}:{{ .password }}@$CA_URL \
-M ./crypto-config/ordererOrganizations/{{ $root.Values.network.ordererOrganization.domain }}/{{ .name }}-{{ $root.Values.network.ordererOrganization.domain }}/tls $TLS_OPTION

Basically my .login variable was set to peer0 and I realized that the common name was set to peer0. So when the TLS communication was set up, I got errors because the component peer0-afkl had a certificate that did not match its name. That is why I got the error. I then added the --csr.hosts option so that peer0-afkl was added as a SAN DNS name. This solved this issue.

You can also use the same value for the login and the peer's name but I don't know which approach is the cleaner.

Hope it helps

My workaround was to overwrite the SAN using the --csr.hosts option of the fabric-ca-client command.

Join fabric@lists.hyperledger.org to automatically receive all group messages.