Note: lists.hyperledger.org will be down for maintenance on Monday, September 26th, starting at 9AM Pacific Time (4PM Monday September 26, 2022 UTC), for approximately one hour.
- Adding a new organisation to the system channel fails after FAB-17733
I don't see why you don't want to specify
the intermediate certificate, but - your workaround looks fine to me assuming
it works. To do what you want (just specify the
root cert and not the intermediate) would require the TLS server handshake
to send the full validation chain which happens only if we specify the
validation chain itself in the TLS config, which we do not do: https://github.com/hyperledger/fabric/blob/master/internal/pkg/comm/server.go#L70-L95therefore I find it hard to believe
that the workaround you mention indeed works (unless I am misinterpreting
your workaround - i assume you mean you do it in the server side and not
in the client side)From:
via lists.hyperledger.org" <christoph.buttler=ruhr-uni-bochum.de@...>To:
06/16/2020 04:05 PMSubject:
[Hyperledger Fabric] Adding a new organisation to the system channel fails
after FAB-17733 #fabric #fabric-orderer #raftSent by:
thanks for your quick reply. As suggested, I have opened
a new JIRA (https://jira.hyperledger.org/browse/FAB-17998).
Regarding (3.), we have already added the intermediate certificates to
the channel configuration. Let me try to give a proper explanation on what
we want to achieve:
Suppose we have an orderer with a TLS chain "orderer.crt -> intermediate.crt
-> root.crt" and want to create a new channel with "peer channel
create". Now, if we are contacting the organisations orderer, we could
simply specify "--cafile intermediate.crt" and the TLS handshake
would succeed. However, if we are contacting another organisations orderer,
we do not want look up its "intermediate.crt" within the channel
config. We would like to be able to specify "--cafile root.crt"
no matter which orderer we are contacting. For some reason, this always
results in a failed TLS handshake. We would expect the orderer to supply
its full chain of certificates (or at least "orderer.crt -> intermediate.crt")
in the handshake, but can not figure out how to achieve this. As mentioned,
our workaround is to build the TLS chain through manually appending "intermediate.crt"
to "orderer.crt". Is there a way for the orderer/peer to do this
automatically? Maybe through the fabric configuration files orderer.yaml/core.yaml?
Join email@example.com to automatically receive all group messages.