Re: Raft - Orderer TLS Problem


Yacov
 

that's not what I said.

You need to add the TLS CA certificates of the CAs that issued the TLS certificate of the orderer node (the consenter) too.



From:        Nicholas Zanutim <nlzanutim@...>
To:        Yacov <yacovm@...>
Cc:        fabric@..., Hyperledger-fabric <hyperledger-fabric@...>
Date:        10/09/2019 02:53 PM
Subject:        [EXTERNAL] Re: [Hyperledger Fabric] Raft - Orderer TLS Problem




It is. I update the channel configuration with it and add it as a consenter and its address.
I checked it by pulling the latest config and checking the json.


Em quarta-feira, 9 de outubro de 2019 08:50:43 BRT, Yacov <yacovm@...> escreveu:


Seems like the TLS CA certificate of the orderer of org2 is not in the channel configuration.



From:        
"Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
To:        
Hyperledger-fabric <hyperledger-fabric@...>
Cc:        
fabric@...
Date:        
10/09/2019 02:33 PM
Subject:        
[EXTERNAL] [Hyperledger Fabric] Raft - Orderer TLS Problem
Sent by:        
fabric@...




Hey guys,
I'm having an issue with the orderers communicating with each other via TLS.
Scenario:
2 Orgs - 2 Machines
Org 1 -> 3 Orderers all communicating with each other
Org 2 -> 1 Orderer

I include Orderer Org 2 in the system channel and application channel via channel update. All goes well.
I get orderer latest config from orderer org 1 and start orderer org 2 with it. It recognizes the rest of the network as they try to communicate.
I'm using Fabric-ca root to generate certificates for Org 1 and fabric ca Intermediate to generate org 2's identity for both orderer and peer.


Now the weird part is that the peers communicate with each other, the blocks sync between ALL 4 orderers and both peers if I invoke chaincode on Org 1. Now I can't invoke on org 2 because Orderer org 2 says there are no consenters.


This is the error on orderers.

{192.168.68.133:7050 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"


I can't figure it out because I'm using the same configurations to generate the certificates for the peers and orderers and the peers do communicate via TLS without any problem. I've had IP SANs problem in the past but now that's not the issue.


I've been stuck for the past 4 days with this error. Does the orderer require different certificates?
I've also tried using the TLS certificates from the TLSCA and TLSCAINTERMEDIATE folders with no luck.


Thanks in advance


 
orderer:
   
container_name: orderer.example.com
   
image: hyperledger/fabric-orderer
   
environment:
     -
FABRIC_LOGGING_SPEC=grpc=debug:info
     -
ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
     -
ORDERER_GENERAL_GENESISMETHOD=file
     -
ORDERER_OPERATIONS_LISTENADDRESS=0.0.0.0:8443
     -
ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/channel.block
     -
ORDERER_GENERAL_LOCALMSPID=ExampleOrdererMSP
     -
ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/msp/orderer/msp
     
# Enable TLS
     -
ORDERER_GENERAL_TLS_ENABLED=true
     -
ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/msp/orderer/tls/server.key
     -
ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/msp/orderer/tls/server.crt
     -
ORDERER_GENERAL_TLS_ROOTCAS=/etc/hyperledger/msp/orderer/tls/ca.crt
     -
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/etc/hyperledger/msp/orderer/tls/ca.crt
     -
ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/msp/orderer/tls/server.crt
     -
ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/msp/orderer/tls/server.key
     -
ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/msp/orderer/tls/ca.crt]
   
working_dir: /opt/orderer
   
command: orderer
   
ports:
     -
7050:7050
   
volumes:
       -
./config/:/etc/hyperledger/configtx
       -
./crypto-config/ordererOrganizations/orderers/orderer.example.com:/etc/hyperledger/msp/orderer
       -
./tls-certificates:/etc/hyperledger/tls-certificates     
   
networks:
     -
n2med







Join fabric@lists.hyperledger.org to automatically receive all group messages.