Re: Need help in configuring TLS for chaincode server

Brett T Logan <brett.t.logan@...>

Unfortunately, the comm layer is one of the most difficult pieces to debug. Can you use `openssl` to take a look at your TLS certificate, make sure everything looks good in there. Quite often users don't mention the correct IP/FQDN in the CN or SANS fields of the certificate, make sure you've mentioned your servers static IP (referenced below) in the SANS section.
Brett Logan
Software Engineer, IBM Blockchain
Phone: 1-984-242-6890

----- Original message -----
From: "sathya.kplm@..." <sathya.kplm@...>
Sent by: fabric@...
To: Matthew Sykes <matthew.sykes@...>, "fabric@..." <fabric@...>
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Need help in configuring TLS for chaincode server
Date: Thu, Sep 24, 2020 11:39 PM
Yes. Both the fields are set to true.
Sathyanarayanan S

From: Matthew Sykes <matthew.sykes@...>
Sent: Friday, September 25, 2020 4:45 AM
To: fabric@... <fabric@...>
Cc: sathya.kplm@... <sathya.kplm@...>
Subject: Re: [Hyperledger Fabric] Need help in configuring TLS for chaincode server
Unfortunately, the traceback doesn't really shed any light on the situation as almost all errors invoking chaincode will show the same stack.
Did you set 'tls_required' and 'client_auth_required' to true in the 'connection.json' provided to the peer?
On Thu, Sep 24, 2020 at 7:05 AM sathya.kplm@... <sathya.kplm@...> wrote:
Hi Folks,
I have some trouble while peer communicates with the chaincode server with TLS enabled. I am providing a summary of what I did.
  • Created two CAs: chaincodeserverCA, peerClientCA
  • Created a private key called 'server.key' and created a certificate 'server.cert' signed by chaincodeserverCA
  • Created a private key called 'peer.key'  and created a certificate 'peer.cert' signed by peerClientCA
  • started the chaincode server with the following TLS settings
    • Key: contents of server.key
    • Cert: contents of server.cert
    • ClientCACerts: peerClientCA's root certificate
  • Installed a package with release build creating a connection.json such that
    • client_key: peer.key
    • client_cert: peer.cert
    • root_cert: chaincodeserverCA's root certificate
When invoking the chaincode with above configuration, I am getting the following error from peer CLI:
Error: endorsement failure during invoke. response: status:500 message:"error in simulation: failed to execute transaction b7378fa2692d3e1c2d9382a61c6683a58a2ad20751aaf933abd5a3d2457b9c72: could not launch chaincode fabcar:a3a073275963170781ec9b80185758f7e4b65c968bda9430475b9b39dd5cf2f1: connection to fabcar:a3a073275963170781ec9b80185758f7e4b65c968bda9430475b9b39dd5cf2f1 failed: error cannot create connection for fabcar:a3a073275963170781ec9b80185758f7e4b65c968bda9430475b9b39dd5cf2f1: error creating grpc connection to failed to create new connection: context deadline exceeded"
The peer logs are like this:
2020-09-24 10:31:47.480 UTC [endorser] callChaincode -> INFO 05c finished chaincode: marbles duration: 10001ms channel=mychannel txID=b7378fa2
2020-09-24 10:31:47.480 UTC [endorser] SimulateProposal -> ERRO 05d failed to invoke chaincode marbles, error: context deadline exceeded
failed to create new connection
error creating grpc connection to
error cannot create connection for fabcar:a3a073275963170781ec9b80185758f7e4b65c968bda9430475b9b39dd5cf2f1
connection to fabcar:a3a073275963170781ec9b80185758f7e4b65c968bda9430475b9b39dd5cf2f1 failed
could not launch chaincode fabcar:a3a073275963170781ec9b80185758f7e4b65c968bda9430475b9b39dd5cf2f1
failed to execute transaction b7378fa2692d3e1c2d9382a61c6683a58a2ad20751aaf933abd5a3d2457b9c72
        /usr/local/go/src/runtime/asm_amd64.s:1357 channel=mychannel txID=b7378fa2
2020-09-24 10:31:47.480 UTC [comm.grpc.server] 1 -> INFO 05e unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address= grpc.code=OK grpc.call_duration=10.003026s
The chaincode invoke works perfectly fine if I disable the TLS.
Any pointers on this will be really helpful. Please let me know where I am going wrong.
Sathyanarayanan S



Matthew Sykes

Join to automatically receive all group messages.