Date   

Re: Mutual TLS Issue #fabric #fabric-ca

soumya nayak <soumyarjnnayak@...>
 

Hi Jean, 

The TLS certificates that you have generates for both orderer and peer using fabric-ca are both from same CA?? 

In my case I had done it from a single CA for tls for both orderer and peer. 

Regards, 
Soumya

On Thu 26 Sep, 2019, 8:44 PM Jean-Gaël Dominé, <jgdomine@...> wrote:
Hi,

Thanks for your replies.

First of all, I'm not using docker-compose but Kubernetes. I was using Fabric 1.4.0 and when I saw your post I tried moving the peers, the orderer and the CA to 1.4.2 this afternoon.
I'm using an orderer in solo type for now.

I can attach my kubernetes files if you want but I don't know if you're familiar with it. At least my environment variables look like this:

Orderer
ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/servercert/cert.pem
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
ORDERER_GENERAL_TLS_CLIENTROOTCAS=[/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/cacert/ca.crt, /etc/hyperledger/crypto/peerOrganizations/afkl-miles-com/peers/peer0-afkl-miles-com/tls/ca.crt, /etc/hyperledger/crypto/peerOrganizations/dl-miles-com/peers/peer0-dl-miles-com/tls/ca.crt]
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/serverkeystore/server.key
ORDERER_GENERAL_TLS_ROOTCAS=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/cacert/ca.crt
Peer
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/crypto/peer/tls/servercert/cert.pem
CORE_PEER_TLS_CLIENTAUTHREQUIRED=false
CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/crypto/peer/tls/servercert/cert.pem
CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/crypto/peer/tls/serverkeystore/server.key
CORE_PEER_TLS_CLIENTROOTCAS_FILES=/etc/hyperledger/crypto/peer/tls/cacert/ca.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/crypto/peer/tls/serverkeystore/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/crypto/peer/tls/cacert/ca.crt

Just so you know I used the Key explorer tool to check that each certificate looked correct and to me they are...
However, I don't know how the peer can verify the identity of the orderer since we cannot specify the root certificate of the orderer's CA (same goes for the other way around).
Despite that, everything works fine when generating the artifacts with cryptogen with the exact same configuration. So I suppose something's wrong with the CA generated certificates but I could not figure out what

I don't know if it helps understanding my issue.

Thanks everyone


Re: Mutual TLS Issue #fabric #fabric-ca

email4tong@gmail.com
 

Jean, if you are using k8s, there is a very easy way to setup everything for you. I wonder if you want to look into cello ansible agent. The doc is here. https://github.com/hyperledger/cello/blob/master/docs/agents/ansible.md

Thanks.



On Thursday, September 26, 2019, 11:14:18 AM EDT, Jean-Gaël Dominé <jgdomine@...> wrote:


Hi,

Thanks for your replies.

First of all, I'm not using docker-compose but Kubernetes. I was using Fabric 1.4.0 and when I saw your post I tried moving the peers, the orderer and the CA to 1.4.2 this afternoon.
I'm using an orderer in solo type for now.

I can attach my kubernetes files if you want but I don't know if you're familiar with it. At least my environment variables look like this:

Orderer
ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/servercert/cert.pem
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
ORDERER_GENERAL_TLS_CLIENTROOTCAS=[/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/cacert/ca.crt, /etc/hyperledger/crypto/peerOrganizations/afkl-miles-com/peers/peer0-afkl-miles-com/tls/ca.crt, /etc/hyperledger/crypto/peerOrganizations/dl-miles-com/peers/peer0-dl-miles-com/tls/ca.crt]
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/serverkeystore/server.key
ORDERER_GENERAL_TLS_ROOTCAS=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/cacert/ca.crt
Peer
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/crypto/peer/tls/servercert/cert.pem
CORE_PEER_TLS_CLIENTAUTHREQUIRED=false
CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/crypto/peer/tls/servercert/cert.pem
CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/crypto/peer/tls/serverkeystore/server.key
CORE_PEER_TLS_CLIENTROOTCAS_FILES=/etc/hyperledger/crypto/peer/tls/cacert/ca.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/crypto/peer/tls/serverkeystore/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/crypto/peer/tls/cacert/ca.crt

Just so you know I used the Key explorer tool to check that each certificate looked correct and to me they are...
However, I don't know how the peer can verify the identity of the orderer since we cannot specify the root certificate of the orderer's CA (same goes for the other way around).
Despite that, everything works fine when generating the artifacts with cryptogen with the exact same configuration. So I suppose something's wrong with the CA generated certificates but I could not figure out what

I don't know if it helps understanding my issue.

Thanks everyone


Re: Mutual TLS Issue #fabric #fabric-ca

Jean-Gaël Dominé <jgdomine@...>
 

Hi,

Thanks for your replies.

First of all, I'm not using docker-compose but Kubernetes. I was using Fabric 1.4.0 and when I saw your post I tried moving the peers, the orderer and the CA to 1.4.2 this afternoon.
I'm using an orderer in solo type for now.

I can attach my kubernetes files if you want but I don't know if you're familiar with it. At least my environment variables look like this:

Orderer
ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/servercert/cert.pem
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
ORDERER_GENERAL_TLS_CLIENTROOTCAS=[/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/cacert/ca.crt, /etc/hyperledger/crypto/peerOrganizations/afkl-miles-com/peers/peer0-afkl-miles-com/tls/ca.crt, /etc/hyperledger/crypto/peerOrganizations/dl-miles-com/peers/peer0-dl-miles-com/tls/ca.crt]
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/serverkeystore/server.key
ORDERER_GENERAL_TLS_ROOTCAS=/etc/hyperledger/crypto/ordererOrganizations/miles-com/orderers/orderer-miles-com/tls/cacert/ca.crt
Peer
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/crypto/peer/tls/servercert/cert.pem
CORE_PEER_TLS_CLIENTAUTHREQUIRED=false
CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/crypto/peer/tls/servercert/cert.pem
CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/crypto/peer/tls/serverkeystore/server.key
CORE_PEER_TLS_CLIENTROOTCAS_FILES=/etc/hyperledger/crypto/peer/tls/cacert/ca.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/crypto/peer/tls/serverkeystore/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/crypto/peer/tls/cacert/ca.crt

Just so you know I used the Key explorer tool to check that each certificate looked correct and to me they are...
However, I don't know how the peer can verify the identity of the orderer since we cannot specify the root certificate of the orderer's CA (same goes for the other way around).
Despite that, everything works fine when generating the artifacts with cryptogen with the exact same configuration. So I suppose something's wrong with the CA generated certificates but I could not figure out what

I don't know if it helps understanding my issue.

Thanks everyone


Re: Raft - Multiple Orderers - LevelDB Error

David Enyeart
 

The problem was that you were mapping each of the orderer's container storage to a common location on the host: ./crypto-config/peerOrganizations/peers/peer0.example.com

Take a look at how the byfn sample does it for orderers 2 through 5:
https://github.com/hyperledger/fabric-samples/blob/release-1.4/first-network/docker-compose-etcdraft2.yaml#L30-L45


Dave Enyeart

"Nicholas Leonardi via Lists.Hyperledger.Org" ---09/26/2019 09:53:40 AM--- Changed what you suggested in the - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc

From: "Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
To: Gari Singh <garis@...>
Cc: fabric@...
Date: 09/26/2019 09:53 AM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error
Sent by: fabric@...





Changed what you suggested in the
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
to
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/orderer1(2 and 3 respectively)

and that seemed to work but it doesn't make sense because the etc/hyperledger is internal. They're still pulling the same certificates from the peer and using the same shared directory. Worked but I still don't understand.

Appreciate the help, some other errors popped up regarding tls and stuff like that but I got it now.


Em quinta-feira, 26 de setembro de 2019 09:35:21 BRT, Gari Singh <garis@...> escreveu:


Looking at the config below, it looks like you have

FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig

and

volumes:
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/


for each of the orderer containers. This results in all 3 containers using the same directory for their ledgers because all 3 of them are going to create "ordererConfig" in /etc/hyperledger which maps to the same directory on your host system.


I recall you said you had tried changing the FABRIC_CFG_PATH, but can you try again?
Keep everything else the same in the compose file except FABRIC_CFG_PATH.

You really want


FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig for orderer
FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig2 for orderer2
FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig3 for orderer3






-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499

garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: Gari Singh <
garis@...>
From: "Nicholas Leonardi via Lists.Hyperledger.Org"
Sent by:
fabric@...
Date: 09/26/2019 08:03AM
Cc:
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error


Yes of course. Here it is

rca.example:
container_name: rca.example.com
image: hyperledger/fabric-ca:1.4.3
command: sh -c 'fabric-ca-server start -d -b admin:adminpw --port 7054 --cfg.identities.allowremove'
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
- FABRIC_CA_SERVER_CLIENT=/etc/hyperledger/fabric-ca-client
- FABRIC_CA_CLIENT_TLS_CERTFILES=/etc/hyperledger/fabric-ca/tls-cert.pem
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CA_NAME=rca.example.com
- FABRIC_CA_SERVER_CSR_CN=rca.example.com
- FABRIC_CA_SERVER_CSR_HOSTS=rca.example.com,192.168.65.89
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-key.pem
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-cert.pem
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- ./exampleCa/:/etc/hyperledger/fabric-ca
- ./exampleCa/server:/etc/hyperledger/fabric-ca-server
- ./exampleCa/client:/etc/hyperledger/fabric-ca-client
ports:
- 7054:7054

orderer.example.com:
container_name: orderer.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/
command: orderer
ports:
- 7050:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
- ./ordererConfig:/etc/hyperledger/ordererConfig
networks:
- example

orderer2.example.com:
container_name: orderer2.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/orderer2
command: orderer
ports:
- 7060:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
- ./ordererConfig2:/etc/hyperledger/ordererConfig2
networks:
- example

orderer3.example.com:
container_name: orderer3.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/orderer3
command: orderer
ports:
- 7070:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer3.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
- ./ordererConfig3:/etc/hyperledger/ordererConfig3
networks:
- example

peer0.example.com:
container_name: peer0.example.com
image: hyperledger/fabric-peer
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_PEER_ID=peer0.example.com
- FABRIC_LOGGING_SPEC=grpc=debug:info
- CORE_PEER_GOSSIP_USELEADERELECTION=false
- CORE_PEER_GOSSIP_ORGLEADER=true
- CORE_PEER_PROFILE_ENABLED=true
- CORE_CHAINCODE_LOGGING_LEVEL=debug
- CORE_PEER_LOCALMSPID=ExampleMSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/users/
Admin@.../msp
- CORE_PEER_ADDRESS=peer0.example.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.example.com:7051
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=example_exam
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=${COUCH_DB_USERNAME}
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=${COUCH_DB_PASSWORD}
# Enable TLS
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/ca.crt
working_dir: /etc/hyperledger/peer
command: peer node start
ports:
- 7051:7051
- 7053:7053
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/:/etc/hyperledger/peer
- ./crypto-config/peerOrganizations/users:/etc/hyperledger/users
- ./config:/etc/hyperledger/configtx
depends_on:
- orderer.example.com
- couchdb
networks:
- example

couchdb:
container_name: couchdb
image: hyperledger/fabric-couchdb
environment:
- COUCHDB_USER=${COUCH_DB_USERNAME}
- COUCHDB_PASSWORD=${COUCH_DB_PASSWORD}
ports:
- 5984:5984
networks:
- example

cli:
container_name: cli
image: hyperledger/fabric-tools
tty: true
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=grpc=debug:info
- CORE_PEER_ID=cli
- CORE_PEER_ADDRESS=peer0.example.com:7051
- CORE_PEER_LOCALMSPID=ExampleMSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peerOrganizations/users/
Admin@.../msp
- CORE_CHAINCODE_KEEPALIVE=10
# Enable TLS
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/ca.crt
working_dir: /etc/hyperledger
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ../../../fabric/chaincodes/:/opt/
- ./crypto-config/:/etc/hyperledger/
- ./config:/etc/hyperledger/channel-artifacts
networks:
- example
depends_on:
- orderer.example.com
- peer0.example.com
- couchdb






Em quarta-feira, 25 de setembro de 2019 17:52:19 BRT, Gari Singh <
garis@...> escreveu:




I think we'd need to see the entire compose file here

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499

garis@...
-----------------------------------------

----- Original message -----
From: "Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
Sent by:
fabric@...
To: Nye Liu <
nye@...>
Cc:
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error
Date: Wed, Sep 25, 2019 4:31 PM

I tried that. Same problem. Also, in the fabric samples they use the same working directories. I also noticed they use the same orderer Genesis block for all 3 which I'm also doing.
If I remove the last volume from all 3 I get a "failed to parse config" which in assuming is the configtx.yaml but that also doesn't solve it.

Get BlueMail for Android
On Sep 25, 2019, at 17:06, Nye Liu <
nye@...> wrote: They all need different working directories. They can’t share leveldb files for obvious reasons.

On Sep 25, 2019, at 10:30 AM, Nicholas Leonardi via Lists.Hyperledger.Org < nlzanutim=
yahoo.com@...> wrote:
Hey guys,
I'm trying to deploy 3 orderers on the same organization and machine.
I can't seem to get it working, two orderers gives me this error:

panic: Error opening leveldb: resource temporarily unavailable

No idea what I'm doing wrong, I copied pretty much the same schematics
from the example. Put them as consenters and addresses in the configtx file,
declared them in the docker-compose file as follows
orderer2. example.com:
container_name: orderer2. example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/
command: orderer
ports:
- 7060:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0. example.com/:/etc/hyperledger/
- ./ordererConfig2:/etc/hyperledger/ordererConfig
networks:
- example
Obviously where there's "orderer2" it's changed to match the three other orderes. I've also
used fabric-ca to generate they're own identities however it was using the same MSP which
still shouldn't be a problem.

I've tried:
Changing FABRIC_CFG_PATH on each which still shouldn't be a problem cus it's within the containers
Removing the ./ordererConfig2:/etc/hyperledger/ordererConfig
Adding differente "Volumes:" at the top of the docker-compose file








Re: "Failed to connect to Postgres database"

Marco Ippolito
 

In order to restart from a clean situation and configuration, I removed the previous fabric-ca folder, created a new one, and then initiated the fabric-ca-server. With the default SQLite everything seem working fine. But one I try to use the PostgreSQL-11 db I created before, errors appear:

(base) marco@pc:~/fabric$ rm -rf fabric-ca
(base) marco@pc:~/fabric$ mkdir fabric-ca
(base) marco@pc:~/fabric$ cd fabric-ca/
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server init -b
admin:adminpw
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b 
admin:adminpw
2019/09/26 15:48:54 [INFO] Created default configuration file at 
/home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 15:48:54 [INFO] Starting server in home directory: 
/home/marco/fabric/fabric-ca
2019/09/26 15:48:54 [INFO] Server Version: 1.4.4
2019/09/26 15:48:54 [INFO] Server Levels: &{Identity:2 Affiliation:1 
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 15:48:54 [WARNING] &{69 The specified CA certificate file 
/home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 15:48:54 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 15:48:54 [INFO] encoded CSR
2019/09/26 15:48:54 [INFO] signed certificate with serial number 
162595303982096068338873480987512684820342253664
2019/09/26 15:48:54 [INFO] The CA key and certificate were generated for
CA 
2019/09/26 15:48:54 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 15:48:54 [INFO] The certificate is at: /home/marco/fabric
/fabric-ca/ca-cert.pem
2019/09/26 15:48:54 [INFO] Initialized sqlite3 database at /home/marco
/fabric/fabric-ca/fabric-ca-server.db
2019/09/26 15:48:54 [INFO] The issuer key was successfully stored. The 
public key is at: /home/marco/fabric/fabric-ca/IssuerPublicKey, secret 
key is at: /home/marco/fabric/fabric-ca/msp/keystore/IssuerSecretKey
2019/09/26 15:48:54 [INFO] Idemix issuer revocation public and secret 
keys were generated for CA ''
2019/09/26 15:48:54 [INFO] The revocation key was successfully stored. 
The public key is at: /home/marco/fabric/fabric-
ca/IssuerRevocationPublicKey, private key is at: /home/marco/fabric
/fabric-ca/msp/keystore/IssuerRevocationPrivateKey
2019/09/26 15:48:54 [INFO] Home directory for default CA: /home/marco
/fabric/fabric-ca
2019/09/26 15:48:54 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 15:48:54 [INFO] Listening on http://0.0.0.0:7054

I set the brand-new fabric-ca-server-config.yaml in this way:

#db:
#  type: sqlite3
#  datasource: fabric-ca-server.db
#  tls:
#      enabled: false
#      certfiles:
#      client:
#        certfile:
#        keyfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin   
  password=password dbname=fabmnetdb sslmode=verify-full

and in /etc/postgresql/11/fabmnet/postgresql.conf :

ssl = on
ssl_cert_file = '/home/marco/fabric/fabric-ca/ca-cert.pem'
ssl_key_file = '/home/marco/fabric/fabric-ca/msp/keystore
/IssuerSecretKey'

After systemctl restart postgresql, I tried to start the fabric-ca-server:

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b 
admin:adminpw
2019/09/26 15:56:50 [INFO] Configuration file location: /home/marco
/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 15:56:50 [INFO] Starting server in home directory: 
/home/marco/fabric/fabric-ca
2019/09/26 15:56:50 [INFO] Server Version: 1.4.4
2019/09/26 15:56:50 [INFO] Server Levels: &{Identity:2 Affiliation:1 
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 15:56:50 [INFO] The CA key and certificate already exist
2019/09/26 15:56:50 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 15:56:50 [INFO] The certificate is at: /home/marco/fabric
/fabric-ca/ca-cert.pem
2019/09/26 15:56:50 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 15:56:50 [WARNING] Failed to connect to database 'postgres'
2019/09/26 15:56:50 [WARNING] Failed to connect to database 'template1'
2019/09/26 15:56:50 [ERROR] Error occurred initializing database: Failed
to connect to Postgres database. Postgres requires connecting to a 
specific database, the following databases were tried: [fabmnetdb 
postgres template1]. Please create one of these database before 
continuing
2019/09/26 15:56:50 [INFO] Home directory for default CA: /home/marco
/fabric/fabric-ca
2019/09/26 15:56:50 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 15:56:50 [INFO] Listening on http://0.0.0.0:7054

Before I also removed all the previous content of /var/log/postgresql/postgresql-11-fabmnet.log to have a clean situation. But strangely now I do not get any new logging information in postgresql-11-fabmnet.log

So. I think there must be something to fix in the interface between fabric-ca-server and PostgreSQL-11 db. In fabric-ca-server-config.yaml, in postgresql.conf, in both or somewhere else.


Il giorno gio 26 set 2019 alle ore 14:35 Marco Ippolito <ippolito.marco@...> ha scritto:
Enabling TSL through command-line gives this output:

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw --tls.enabled
2019/09/26 14:02:09 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 14:02:09 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 14:02:09 [INFO] Server Version: 1.4.4
2019/09/26 14:02:09 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 14:02:09 [INFO] The CA key and certificate already exist
2019/09/26 14:02:09 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 14:02:09 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'postgres'
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'template1'
2019/09/26 14:02:09 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 14:02:09 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 14:02:09 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 14:02:09 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 14:02:09 [INFO] encoded CSR
2019/09/26 14:02:09 [INFO] signed certificate with serial number 92902964373330420996414514456924886556455364958
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xe5d931]

goroutine 1 [running]:
github.com/hyperledger/fabric-ca/lib.(*CertDBAccessor).checkDB(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/certdbaccessor.go:68
github.com/hyperledger/fabric-ca/lib.(*CertDBAccessor).InsertCertificate(0x0, 0xc0002449c0, 0x2f, 0xc000244a20, 0x28, 0x0, 0x0, 0x1101b40, 0x4, 0x0, ...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/certdbaccessor.go:84 +0x91
github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/signer/local.(*Signer).Sign(0xc00026fc80, 0x0, 0x0, 0x0, 0xc0003f0800, 0x1f9, 0x0, 0x110158b, 0x3, 0x0, ...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/signer/local/local.go:408 +0xcbe
github.com/hyperledger/fabric-ca/lib.(*Server).autoGenerateTLSCertificateKey(0xc000110160, 0x29, 0xc0004f9c00)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:878 +0x43e
github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe(0xc000110160, 0x1103e0c, 0x6)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:634 +0xde8
github.com/hyperledger/fabric-ca/lib.(*Server).Start(0xc000110160, 0xc000110160, 0x0)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:199 +0x377
main.(*ServerCmd).init.func3(0xc00015e480, 0xc000298840, 0x0, 0x3, 0x0, 0x0)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 +0xd5
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc00015e480, 0xc000298780, 0x3, 0x3, 0xc00015e480, 0xc000298780)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x3e6
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc00015e000, 0x5, 0xc00024bf01, 0xc0000cc140)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x2be
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692
main.(*ServerCmd).Execute(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69
main.RunMain(0xc0000cc000, 0x5, 0x5, 0xc00024bf88, 0xc0000a6058)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0xb5
main.main()
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45

postgresql-11-fabmnet.log :

2019-09-26 14:02:09.669 CEST [6267] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 14:02:09.672 CEST [6270] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 14:02:09.675 CEST [6271] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate

The very first error message says: 2019/09/26 14:02:09 [WARNING] Failed to connect to database 'fabmnetdb'


I then modified the postgresql.conf file in order to point to the .pem file created during the fabric-ca-start execution. The problem is that there is no correspondent .key file  :

putting in /etc/postgresql/11/fabmnet/postgresql.conf :

ssl_cert_file = '/home/marco/fabric/fabric-ca/ca-cert.pem'

but without any .key file because the fabric-ca-server start did create ca-cert.pem but not the corresponding .key file

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b 
admin:adminpw
2019/09/26 14:23:12 [INFO] Configuration file location: /home/marco
/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 14:23:12 [INFO] Starting server in home directory: 
/home/marco/fabric/fabric-ca
2019/09/26 14:23:12 [INFO] Server Version: 1.4.4
2019/09/26 14:23:12 [INFO] Server Levels: &{Identity:2 Affiliation:1 
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 14:23:12 [INFO] The CA key and certificate already exist
2019/09/26 14:23:12 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 14:23:12 [INFO] The certificate is at: /home/marco/fabric
/fabric-ca/ca-cert.pem
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'postgres'
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'template1'
2019/09/26 14:23:12 [ERROR] Error occurred initializing database: Failed
to connect to Postgres database. Postgres requires connecting to a 
specific database, the following databases were tried: [fabmnetdb 
postgres template1]. Please create one of these database before 
continuing
2019/09/26 14:23:12 [INFO] Home directory for default CA: /home/marco
/fabric/fabric-ca
2019/09/26 14:23:12 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 14:23:12 [INFO] Listening on http://0.0.0.0:7054

The corresponding postgresql-11-fabmnet-log file:

2019-09-26 14:15:05.203 CEST [1077] LOG:  received fast shutdown request
2019-09-26 14:15:05.206 CEST [1077] LOG:  aborting any active 
transactions
2019-09-26 14:15:05.213 CEST [1077] LOG:  background worker "logical 
replication launcher" (PID 1133) exited with exit code 1
2019-09-26 14:15:05.213 CEST [1126] LOG:  shutting down
2019-09-26 14:15:05.237 CEST [1077] LOG:  database system is shut down
2019-09-26 14:15:05.358 CEST [6705] FATAL:  could not access private key
file "server.key": No such file or directory
2019-09-26 14:15:05.358 CEST [6705] LOG:  database system is shut down

The question is: how to create the .key together with the .pem file during the fabri-ca-server start?


Il giorno gio 26 set 2019 alle ore 14:01 Nicholas Zanutim <nlzanutim@...> ha scritto:
I'm still not sure what step you are on or the command you're running but if you run

fabric-ca-server start -b admin:adminpw --tls.enabled 

then it should generate all of it for your with the flags. I still haven't tried Init first, configuring the
config file then running start. 

Em quinta-feira, 26 de setembro de 2019 07:58:53 BRT, Marco Ippolito <ippolito.marco@...> escreveu:


Hi Nicholas,

the fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

ldap:
  enabled: false


in /etc/postgresql/11/fabmnet/postgresql.conf  :

ssl = on
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

What am I doing wrongly?

Marco


Il giorno gio 26 set 2019 alle ore 12:43 Marco Ippolito <ippolito.marco@...> ha scritto:
Hi Nicholas,
thanks for answering.

I'm trying to follow step-by-step the instructions described here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-server



Il giorno gio 26 set 2019 alle ore 12:30 Nicholas Leonardi <nlzanutim@...> ha scritto:
Please give us more details on what you're trying to do. Are you just starting the server and it gives the error? Are you trying to enroll/register with fabric-ca-client?

On Sep 26, 2019, at 07:17, Marco Ippolito <ippolito.marco@...> wrote:
Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco


Re: Raft - Multiple Orderers - LevelDB Error

Nicholas Leonardi
 

Changed what you suggested in the 
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
to 
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/orderer1(2 and 3 respectively)

and that seemed to work but it doesn't make sense because the etc/hyperledger is internal. They're still pulling the same certificates from the peer and using the same shared directory. Worked but I still don't understand.

Appreciate the help, some other errors popped up regarding tls and stuff like that but I got it now. 


Em quinta-feira, 26 de setembro de 2019 09:35:21 BRT, Gari Singh <garis@...> escreveu:


Looking at the config below, it looks like you have

FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig

and

volumes:
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/


for each of the orderer containers.  This results in all 3 containers using the same directory for their ledgers because all 3 of them are going to create "ordererConfig" in /etc/hyperledger which maps to the same directory on your host system.


I recall you said you had tried changing the FABRIC_CFG_PATH, but can you try again?
Keep everything else the same in the compose file except FABRIC_CFG_PATH.

You really want


FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig for orderer
FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig2 for orderer2
FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig3 for orderer3






-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: Gari Singh <garis@...>
From: "Nicholas Leonardi via Lists.Hyperledger.Org"
Sent by: fabric@...
Date: 09/26/2019 08:03AM
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error

       
Yes of course. Here it is

rca.example:
      container_name: rca.example.com
      image: hyperledger/fabric-ca:1.4.3
      command: sh -c 'fabric-ca-server start -d -b admin:adminpw --port 7054 --cfg.identities.allowremove'
      environment:
        - FABRIC_LOGGING_SPEC=grpc=debug:info       
        - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
        - FABRIC_CA_SERVER_CLIENT=/etc/hyperledger/fabric-ca-client
        - FABRIC_CA_CLIENT_TLS_CERTFILES=/etc/hyperledger/fabric-ca/tls-cert.pem
        - FABRIC_CA_SERVER_TLS_ENABLED=true
        - FABRIC_CA_SERVER_CA_NAME=rca.example.com
        - FABRIC_CA_SERVER_CSR_CN=rca.example.com
        - FABRIC_CA_SERVER_CSR_HOSTS=rca.example.com,192.168.65.89
        - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-key.pem
        - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-cert.pem
        - FABRIC_CA_SERVER_DEBUG=true
      volumes:
        - ./exampleCa/:/etc/hyperledger/fabric-ca
        - ./exampleCa/server:/etc/hyperledger/fabric-ca-server
        - ./exampleCa/client:/etc/hyperledger/fabric-ca-client
      ports:
        - 7054:7054
       
  orderer.example.com:
    container_name: orderer.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/
    command: orderer
    ports:
      - 7050:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig:/etc/hyperledger/ordererConfig
    networks:
      - example

  orderer2.example.com:
    container_name: orderer2.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/orderer2
    command: orderer
    ports:
      - 7060:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig2:/etc/hyperledger/ordererConfig2   
    networks:
      - example

  orderer3.example.com:
    container_name: orderer3.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig   
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/orderer3
    command: orderer
    ports:
      - 7070:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer3.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig3:/etc/hyperledger/ordererConfig3       
    networks:
      - example

  peer0.example.com:
    container_name: peer0.example.com
    image: hyperledger/fabric-peer
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - CORE_PEER_ID=peer0.example.com
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - CORE_PEER_GOSSIP_USELEADERELECTION=false
      - CORE_PEER_GOSSIP_ORGLEADER=true
      - CORE_PEER_PROFILE_ENABLED=true
      - CORE_CHAINCODE_LOGGING_LEVEL=debug
      - CORE_PEER_LOCALMSPID=ExampleMSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/users/Admin@.../msp
      - CORE_PEER_ADDRESS=peer0.example.com:7051
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.example.com:7051
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=example_exam
      - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
      - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
      - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=${COUCH_DB_USERNAME}
      - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=${COUCH_DB_PASSWORD}
      # Enable TLS
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/ca.crt
    working_dir: /etc/hyperledger/peer
    command: peer node start
    ports:
      - 7051:7051
      - 7053:7053
    volumes:
        - /var/run/:/host/var/run/
        - ./crypto-config/peerOrganizations/:/etc/hyperledger/peer
        - ./crypto-config/peerOrganizations/users:/etc/hyperledger/users
        - ./config:/etc/hyperledger/configtx
    depends_on:
      - orderer.example.com
      - couchdb
    networks:
      - example

  couchdb:
    container_name: couchdb
    image: hyperledger/fabric-couchdb
    environment:
      - COUCHDB_USER=${COUCH_DB_USERNAME}
      - COUCHDB_PASSWORD=${COUCH_DB_PASSWORD}
    ports:
      - 5984:5984
    networks:
      - example

  cli:
    container_name: cli
    image: hyperledger/fabric-tools
    tty: true
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - CORE_PEER_ID=cli
      - CORE_PEER_ADDRESS=peer0.example.com:7051
      - CORE_PEER_LOCALMSPID=ExampleMSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peerOrganizations/users/Admin@.../msp
      - CORE_CHAINCODE_KEEPALIVE=10
      # Enable TLS
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/ca.crt
    working_dir: /etc/hyperledger
    command: /bin/bash
    volumes:
        - /var/run/:/host/var/run/
        - ../../../fabric/chaincodes/:/opt/
        - ./crypto-config/:/etc/hyperledger/
        - ./config:/etc/hyperledger/channel-artifacts
    networks:
        - example
    depends_on:
      - orderer.example.com
      - peer0.example.com
      - couchdb



         
           
                 
                    Em quarta-feira, 25 de setembro de 2019 17:52:19 BRT, Gari Singh <garis@...> escreveu:                                 

               

               
I think we'd need to see the entire compose file here

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------
 

  ----- Original message -----
From: "Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
Sent by: fabric@...
To: Nye Liu <nye@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error
Date: Wed, Sep 25, 2019 4:31 PM
 
I tried that. Same problem. Also, in the fabric samples they use the same working directories. I also noticed they use the same orderer Genesis block for all 3 which I'm also doing.
If I remove the last volume from all 3 I get a "failed to parse config" which in assuming is the configtx.yaml but that also doesn't solve it.
 
Get BlueMail for Android 
On Sep 25, 2019, at 17:06, Nye Liu <nye@...> wrote:  They all need different working directories. They can’t share leveldb files for obvious reasons.
 
On Sep 25, 2019, at 10:30 AM, Nicholas Leonardi via Lists.Hyperledger.Org < nlzanutim=yahoo.com@...> wrote: 
Hey guys,
I'm trying to deploy 3 orderers on the same organization and machine.
I can't seem to get it working, two orderers gives me this error: 
 
panic: Error opening leveldb: resource temporarily unavailable
 
No idea what I'm doing wrong, I copied pretty much the same schematics 
from the example. Put them as consenters and addresses in the configtx file,
declared them in the docker-compose file as follows 
orderer2. example.com:
    container_name: orderer2. example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/
    command: orderer
    ports:
      - 7060:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0. example.com/:/etc/hyperledger/
        - ./ordererConfig2:/etc/hyperledger/ordererConfig       
    networks:
      - example
Obviously where there's "orderer2" it's changed to match the three other orderes. I've also 
used fabric-ca to generate they're own identities however it was using the same MSP which 
still shouldn't be a problem.
 
I've tried:
Changing FABRIC_CFG_PATH on each which still shouldn't be a problem cus it's within the containers
Removing the  ./ordererConfig2:/etc/hyperledger/ordererConfig 
Adding differente "Volumes:" at the top of the docker-compose file
 
 

                           


Re: "bad certificate" #fabric-ca #fabricca #fabric-questions

Marco Ippolito
 

Enabling TSL through command-line gives this output:

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw --tls.enabled
2019/09/26 14:02:09 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 14:02:09 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 14:02:09 [INFO] Server Version: 1.4.4
2019/09/26 14:02:09 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 14:02:09 [INFO] The CA key and certificate already exist
2019/09/26 14:02:09 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 14:02:09 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'postgres'
2019/09/26 14:02:09 [WARNING] Failed to connect to database 'template1'
2019/09/26 14:02:09 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 14:02:09 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 14:02:09 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 14:02:09 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 14:02:09 [INFO] encoded CSR
2019/09/26 14:02:09 [INFO] signed certificate with serial number 92902964373330420996414514456924886556455364958
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xe5d931]

goroutine 1 [running]:
github.com/hyperledger/fabric-ca/lib.(*CertDBAccessor).checkDB(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/certdbaccessor.go:68
github.com/hyperledger/fabric-ca/lib.(*CertDBAccessor).InsertCertificate(0x0, 0xc0002449c0, 0x2f, 0xc000244a20, 0x28, 0x0, 0x0, 0x1101b40, 0x4, 0x0, ...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/certdbaccessor.go:84 +0x91
github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/signer/local.(*Signer).Sign(0xc00026fc80, 0x0, 0x0, 0x0, 0xc0003f0800, 0x1f9, 0x0, 0x110158b, 0x3, 0x0, ...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/signer/local/local.go:408 +0xcbe
github.com/hyperledger/fabric-ca/lib.(*Server).autoGenerateTLSCertificateKey(0xc000110160, 0x29, 0xc0004f9c00)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:878 +0x43e
github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe(0xc000110160, 0x1103e0c, 0x6)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:634 +0xde8
github.com/hyperledger/fabric-ca/lib.(*Server).Start(0xc000110160, 0xc000110160, 0x0)
/home/marco/go/src/github.com/hyperledger/fabric-ca/lib/server.go:199 +0x377
main.(*ServerCmd).init.func3(0xc00015e480, 0xc000298840, 0x0, 0x3, 0x0, 0x0)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 +0xd5
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc00015e480, 0xc000298780, 0x3, 0x3, 0xc00015e480, 0xc000298780)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x3e6
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc00015e000, 0x5, 0xc00024bf01, 0xc0000cc140)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x2be
github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692
main.(*ServerCmd).Execute(...)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69
main.RunMain(0xc0000cc000, 0x5, 0x5, 0xc00024bf88, 0xc0000a6058)
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0xb5
main.main()
/home/marco/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45

postgresql-11-fabmnet.log :

2019-09-26 14:02:09.669 CEST [6267] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 14:02:09.672 CEST [6270] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 14:02:09.675 CEST [6271] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate

The very first error message says: 2019/09/26 14:02:09 [WARNING] Failed to connect to database 'fabmnetdb'


I then modified the postgresql.conf file in order to point to the .pem file created during the fabric-ca-start execution. The problem is that there is no correspondent .key file  :

putting in /etc/postgresql/11/fabmnet/postgresql.conf :

ssl_cert_file = '/home/marco/fabric/fabric-ca/ca-cert.pem'

but without any .key file because the fabric-ca-server start did create ca-cert.pem but not the corresponding .key file

(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b 
admin:adminpw
2019/09/26 14:23:12 [INFO] Configuration file location: /home/marco
/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 14:23:12 [INFO] Starting server in home directory: 
/home/marco/fabric/fabric-ca
2019/09/26 14:23:12 [INFO] Server Version: 1.4.4
2019/09/26 14:23:12 [INFO] Server Levels: &{Identity:2 Affiliation:1 
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 14:23:12 [INFO] The CA key and certificate already exist
2019/09/26 14:23:12 [INFO] The key is stored by BCCSP provider 'SW'
2019/09/26 14:23:12 [INFO] The certificate is at: /home/marco/fabric
/fabric-ca/ca-cert.pem
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'postgres'
2019/09/26 14:23:12 [WARNING] Failed to connect to database 'template1'
2019/09/26 14:23:12 [ERROR] Error occurred initializing database: Failed
to connect to Postgres database. Postgres requires connecting to a 
specific database, the following databases were tried: [fabmnetdb 
postgres template1]. Please create one of these database before 
continuing
2019/09/26 14:23:12 [INFO] Home directory for default CA: /home/marco
/fabric/fabric-ca
2019/09/26 14:23:12 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 14:23:12 [INFO] Listening on http://0.0.0.0:7054

The corresponding postgresql-11-fabmnet-log file:

2019-09-26 14:15:05.203 CEST [1077] LOG:  received fast shutdown request
2019-09-26 14:15:05.206 CEST [1077] LOG:  aborting any active 
transactions
2019-09-26 14:15:05.213 CEST [1077] LOG:  background worker "logical 
replication launcher" (PID 1133) exited with exit code 1
2019-09-26 14:15:05.213 CEST [1126] LOG:  shutting down
2019-09-26 14:15:05.237 CEST [1077] LOG:  database system is shut down
2019-09-26 14:15:05.358 CEST [6705] FATAL:  could not access private key
file "server.key": No such file or directory
2019-09-26 14:15:05.358 CEST [6705] LOG:  database system is shut down

The question is: how to create the .key together with the .pem file during the fabri-ca-server start?


Il giorno gio 26 set 2019 alle ore 14:01 Nicholas Zanutim <nlzanutim@...> ha scritto:
I'm still not sure what step you are on or the command you're running but if you run

fabric-ca-server start -b admin:adminpw --tls.enabled 

then it should generate all of it for your with the flags. I still haven't tried Init first, configuring the
config file then running start. 

Em quinta-feira, 26 de setembro de 2019 07:58:53 BRT, Marco Ippolito <ippolito.marco@...> escreveu:


Hi Nicholas,

the fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

ldap:
  enabled: false


in /etc/postgresql/11/fabmnet/postgresql.conf  :

ssl = on
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

What am I doing wrongly?

Marco


Il giorno gio 26 set 2019 alle ore 12:43 Marco Ippolito <ippolito.marco@...> ha scritto:
Hi Nicholas,
thanks for answering.

I'm trying to follow step-by-step the instructions described here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-server



Il giorno gio 26 set 2019 alle ore 12:30 Nicholas Leonardi <nlzanutim@...> ha scritto:
Please give us more details on what you're trying to do. Are you just starting the server and it gives the error? Are you trying to enroll/register with fabric-ca-client?

On Sep 26, 2019, at 07:17, Marco Ippolito <ippolito.marco@...> wrote:
Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco


Re: Raft - Multiple Orderers - LevelDB Error

Gari Singh <garis@...>
 

Looking at the config below, it looks like you have

FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig

and

volumes:
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/


for each of the orderer containers. This results in all 3 containers using the same directory for their ledgers because all 3 of them are going to create "ordererConfig" in /etc/hyperledger which maps to the same directory on your host system.


I recall you said you had tried changing the FABRIC_CFG_PATH, but can you try again?
Keep everything else the same in the compose file except FABRIC_CFG_PATH.

You really want


FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig for orderer
FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig2 for orderer2
FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig3 for orderer3






-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: Gari Singh <garis@...>
From: "Nicholas Leonardi via Lists.Hyperledger.Org"
Sent by: fabric@...
Date: 09/26/2019 08:03AM
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error


Yes of course. Here it is

rca.example:
container_name: rca.example.com
image: hyperledger/fabric-ca:1.4.3
command: sh -c 'fabric-ca-server start -d -b admin:adminpw --port 7054 --cfg.identities.allowremove'
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
- FABRIC_CA_SERVER_CLIENT=/etc/hyperledger/fabric-ca-client
- FABRIC_CA_CLIENT_TLS_CERTFILES=/etc/hyperledger/fabric-ca/tls-cert.pem
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CA_NAME=rca.example.com
- FABRIC_CA_SERVER_CSR_CN=rca.example.com
- FABRIC_CA_SERVER_CSR_HOSTS=rca.example.com,192.168.65.89
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-key.pem
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-cert.pem
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- ./exampleCa/:/etc/hyperledger/fabric-ca
- ./exampleCa/server:/etc/hyperledger/fabric-ca-server
- ./exampleCa/client:/etc/hyperledger/fabric-ca-client
ports:
- 7054:7054

orderer.example.com:
container_name: orderer.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/
command: orderer
ports:
- 7050:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
- ./ordererConfig:/etc/hyperledger/ordererConfig
networks:
- example

orderer2.example.com:
container_name: orderer2.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/orderer2
command: orderer
ports:
- 7060:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
- ./ordererConfig2:/etc/hyperledger/ordererConfig2
networks:
- example

orderer3.example.com:
container_name: orderer3.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/orderer3
command: orderer
ports:
- 7070:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer3.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
- ./ordererConfig3:/etc/hyperledger/ordererConfig3
networks:
- example

peer0.example.com:
container_name: peer0.example.com
image: hyperledger/fabric-peer
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_PEER_ID=peer0.example.com
- FABRIC_LOGGING_SPEC=grpc=debug:info
- CORE_PEER_GOSSIP_USELEADERELECTION=false
- CORE_PEER_GOSSIP_ORGLEADER=true
- CORE_PEER_PROFILE_ENABLED=true
- CORE_CHAINCODE_LOGGING_LEVEL=debug
- CORE_PEER_LOCALMSPID=ExampleMSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/users/Admin@.../msp
- CORE_PEER_ADDRESS=peer0.example.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.example.com:7051
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=example_exam
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=${COUCH_DB_USERNAME}
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=${COUCH_DB_PASSWORD}
# Enable TLS
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/ca.crt
working_dir: /etc/hyperledger/peer
command: peer node start
ports:
- 7051:7051
- 7053:7053
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/:/etc/hyperledger/peer
- ./crypto-config/peerOrganizations/users:/etc/hyperledger/users
- ./config:/etc/hyperledger/configtx
depends_on:
- orderer.example.com
- couchdb
networks:
- example

couchdb:
container_name: couchdb
image: hyperledger/fabric-couchdb
environment:
- COUCHDB_USER=${COUCH_DB_USERNAME}
- COUCHDB_PASSWORD=${COUCH_DB_PASSWORD}
ports:
- 5984:5984
networks:
- example

cli:
container_name: cli
image: hyperledger/fabric-tools
tty: true
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=grpc=debug:info
- CORE_PEER_ID=cli
- CORE_PEER_ADDRESS=peer0.example.com:7051
- CORE_PEER_LOCALMSPID=ExampleMSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peerOrganizations/users/Admin@.../msp
- CORE_CHAINCODE_KEEPALIVE=10
# Enable TLS
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/ca.crt
working_dir: /etc/hyperledger
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ../../../fabric/chaincodes/:/opt/
- ./crypto-config/:/etc/hyperledger/
- ./config:/etc/hyperledger/channel-artifacts
networks:
- example
depends_on:
- orderer.example.com
- peer0.example.com
- couchdb






Em quarta-feira, 25 de setembro de 2019 17:52:19 BRT, Gari Singh <garis@...> escreveu:




I think we'd need to see the entire compose file here

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

----- Original message -----
From: "Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
Sent by: fabric@...
To: Nye Liu <nye@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error
Date: Wed, Sep 25, 2019 4:31 PM

I tried that. Same problem. Also, in the fabric samples they use the same working directories. I also noticed they use the same orderer Genesis block for all 3 which I'm also doing.
If I remove the last volume from all 3 I get a "failed to parse config" which in assuming is the configtx.yaml but that also doesn't solve it.

Get BlueMail for Android
On Sep 25, 2019, at 17:06, Nye Liu <nye@...> wrote: They all need different working directories. They can’t share leveldb files for obvious reasons.

On Sep 25, 2019, at 10:30 AM, Nicholas Leonardi via Lists.Hyperledger.Org < nlzanutim=yahoo.com@...> wrote:
Hey guys,
I'm trying to deploy 3 orderers on the same organization and machine.
I can't seem to get it working, two orderers gives me this error:

panic: Error opening leveldb: resource temporarily unavailable

No idea what I'm doing wrong, I copied pretty much the same schematics
from the example. Put them as consenters and addresses in the configtx file,
declared them in the docker-compose file as follows
orderer2. example.com:
container_name: orderer2. example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=grpc=debug:info
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
- FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
# Enable TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
working_dir: /etc/hyperledger/
command: orderer
ports:
- 7060:7050
volumes:
- ./config/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
- ./crypto-config/peerOrganizations/peers/peer0. example.com/:/etc/hyperledger/
- ./ordererConfig2:/etc/hyperledger/ordererConfig
networks:
- example
Obviously where there's "orderer2" it's changed to match the three other orderes. I've also
used fabric-ca to generate they're own identities however it was using the same MSP which
still shouldn't be a problem.

I've tried:
Changing FABRIC_CFG_PATH on each which still shouldn't be a problem cus it's within the containers
Removing the ./ordererConfig2:/etc/hyperledger/ordererConfig
Adding differente "Volumes:" at the top of the docker-compose file


Re: Kafka To RAFT Migration #fabric #kafka #raft

soumya nayak <soumyarjnnayak@...>
 

Hi all, 

The below issue was resolved and I was able to successfully migrate from kafka to RAFT for v1.4.3.

the issue was I forgot to add the channel capabilities in my configtx yaml file. 
Post adding everything worked good. 

Regards, 
Soumya


On Thu 19 Sep, 2019, 5:38 PM soumya nayak via Lists.Hyperledger.Org, <soumyarjnnayak=gmail.com@...> wrote:
Hi All,

V1.4.3 - Fabric
System channel created -- ordererchannel
Application channel created -- legaldescriptionchannel

While migration from Kafka to RAFT i am getting an error in step -2

Step - 1 --> Updating both the system channel and application channel -- Maintenance Mode (*Completed*)
Step - 2 --> Updating the JSON with RAFT details -- type as "etcdraft" and metadata with all the consenter details and submitting for channel update in application channel is giving me the below error --
*Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'legaldescriptionchannel': attempted to change consensus type from kafka to etcdraft .

Below is the Capabilities section in my configtx.yaml file.
Capabilities:
Channel: &ChannelCapabilities
          V1_4_3: true
          V1_3: false
          V1_1: false
Application: &ApplicationCapabilities
          V1_4_2: true
          V1_3: false
          V1_2: false
          V1_1: false
Orderer: &OrdererCapabilities
          V1_4_2: true
           V1_1: false

Please find attached the fabric-CLI tool logs and the orderer logs.

Regards,
Soumya


Re: Raft - Multiple Orderers - LevelDB Error

Anil Singh <anil.singh@...>
 

A quick cross check ...

- Could you please check if your instance is NOT too small ?
- your file descriptor limits is not exhausted, as LevelDB work more like a file read/write ?

Thanks,
Anil

On September 26, 2019 5:33 PM Nicholas Leonardi via Lists.Hyperledger.Org <nlzanutim=yahoo.com@...> wrote:



Yes of course. Here it is

rca.example:
      container_name: rca.example.com
      image: hyperledger/fabric-ca:1.4.3
      command: sh -c 'fabric-ca-server start -d -b admin:adminpw --port 7054 --cfg.identities.allowremove'
      environment:
         - FABRIC_LOGGING_SPEC=grpc=debug:info        
         - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
         - FABRIC_CA_SERVER_CLIENT=/etc/hyperledger/fabric-ca-client
         - FABRIC_CA_CLIENT_TLS_CERTFILES=/etc/hyperledger/fabric-ca/tls-cert.pem
         - FABRIC_CA_SERVER_TLS_ENABLED=true
         - FABRIC_CA_SERVER_CA_NAME=rca.example.com
         - FABRIC_CA_SERVER_CSR_CN=rca.example.com
         - FABRIC_CA_SERVER_CSR_HOSTS=rca.example.com,192.168.65.89
         - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-key.pem
         - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-cert.pem
         - FABRIC_CA_SERVER_DEBUG=true
      volumes:
         - ./exampleCa/:/etc/hyperledger/fabric-ca
         - ./exampleCa/server:/etc/hyperledger/fabric-ca-server
         - ./exampleCa/client:/etc/hyperledger/fabric-ca-client
      ports:
         - 7054:7054
         
  orderer.example.com:
    container_name: orderer.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/
    command: orderer
    ports:
      - 7050:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig:/etc/hyperledger/ordererConfig
    networks:
      - example

  orderer2.example.com:
    container_name: orderer2.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/orderer2
    command: orderer
    ports:
      - 7060:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig2:/etc/hyperledger/ordererConfig2     
    networks:
      - example

  orderer3.example.com:
    container_name: orderer3.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig    
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/orderer3
    command: orderer
    ports:
      - 7070:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer3.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig3:/etc/hyperledger/ordererConfig3        
    networks:
      - example

  peer0.example.com:
    container_name: peer0.example.com
    image: hyperledger/fabric-peer
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - CORE_PEER_ID=peer0.example.com
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - CORE_PEER_GOSSIP_USELEADERELECTION=false
      - CORE_PEER_GOSSIP_ORGLEADER=true
      - CORE_PEER_PROFILE_ENABLED=true
      - CORE_CHAINCODE_LOGGING_LEVEL=debug
      - CORE_PEER_LOCALMSPID=ExampleMSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/users/Admin@.../msp
      - CORE_PEER_ADDRESS=peer0.example.com:7051
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.example.com:7051
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=example_exam
      - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
      - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
      - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=${COUCH_DB_USERNAME}
      - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=${COUCH_DB_PASSWORD}
      # Enable TLS
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/ca.crt
    working_dir: /etc/hyperledger/peer
    command: peer node start
    ports:
      - 7051:7051
      - 7053:7053
    volumes:
        - /var/run/:/host/var/run/
        - ./crypto-config/peerOrganizations/:/etc/hyperledger/peer
        - ./crypto-config/peerOrganizations/users:/etc/hyperledger/users
        - ./config:/etc/hyperledger/configtx
    depends_on:
      - orderer.example.com
      - couchdb
    networks:
      - example

  couchdb:
    container_name: couchdb
    image: hyperledger/fabric-couchdb
    environment:
      - COUCHDB_USER=${COUCH_DB_USERNAME}
      - COUCHDB_PASSWORD=${COUCH_DB_PASSWORD}
    ports:
      - 5984:5984
    networks:
      - example

  cli:
    container_name: cli
    image: hyperledger/fabric-tools
    tty: true
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - CORE_PEER_ID=cli
      - CORE_PEER_ADDRESS=peer0.example.com:7051
      - CORE_PEER_LOCALMSPID=ExampleMSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peerOrganizations/users/Admin@.../msp
      - CORE_CHAINCODE_KEEPALIVE=10
      # Enable TLS
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/ca.crt
    working_dir: /etc/hyperledger
    command: /bin/bash
    volumes:
        - /var/run/:/host/var/run/
        - ../../../fabric/chaincodes/:/opt/
        - ./crypto-config/:/etc/hyperledger/
        - ./config:/etc/hyperledger/channel-artifacts
    networks:
        - example
    depends_on:
      - orderer.example.com
      - peer0.example.com
      - couchdb



Em quarta-feira, 25 de setembro de 2019 17:52:19 BRT, Gari Singh <garis@...> escreveu:


I think we'd need to see the entire compose file here

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------


----- Original message -----
From: "Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
Sent by: fabric@...
To: Nye Liu <nye@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error
Date: Wed, Sep 25, 2019 4:31 PM
 
I tried that. Same problem. Also, in the fabric samples they use the same working directories. I also noticed they use the same orderer Genesis block for all 3 which I'm also doing.
If I remove the last volume from all 3 I get a "failed to parse config" which in assuming is the configtx.yaml but that also doesn't solve it.
 
On Sep 25, 2019, at 17:06, Nye Liu < nye@...> wrote:
They all need different working directories. They can’t share leveldb files for obvious reasons.
 
On Sep 25, 2019, at 10:30 AM, Nicholas Leonardi via Lists.Hyperledger.Org < nlzanutim=yahoo.com@...> wrote:
 
Hey guys,
I'm trying to deploy 3 orderers on the same organization and machine.
I can't seem to get it working, two orderers gives me this error: 

panic: Error opening leveldb: resource temporarily unavailable

No idea what I'm doing wrong, I copied pretty much the same schematics 
from the example. Put them as consenters and addresses in the configtx file,
declared them in the docker-compose file as follows 
 orderer2. example.com:
    container_name: orderer2. example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/
    command: orderer
    ports:
      - 7060:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0. example.com/:/etc/hyperledger/
        - ./ordererConfig2:/etc/hyperledger/ordererConfig        
    networks:
      - example
Obviously where there's "orderer2" it's changed to match the three other orderes. I've also 
used fabric-ca to generate they're own identities however it was using the same MSP which 
still shouldn't be a problem.

I've tried:
Changing FABRIC_CFG_PATH on each which still shouldn't be a problem cus it's within the containers
Removing the  ./ordererConfig2:/etc/hyperledger/ordererConfig
Adding differente "Volumes:" at the top of the docker-compose file





Re: Mutual TLS Issue #fabric #fabric-ca

soumya nayak <soumyarjnnayak@...>
 

Hi Jean, 

What is the fabric version and the order type (kafka or raft) . 

Also can you attach the docker composefiles of your peer and orderers? 

Regards, 
Soumya


On Thu 26 Sep, 2019, 5:22 PM Jean-Gaël Dominé, <jgdomine@...> wrote:
Hi,

I'm trying to set up a one way TLS instead of a mutual one. So on my peers and orderer, the flags *_TLS_CLIENTAUTHREQUIRED are all set to false.

When starting the network, everything seems to go well (channel creation, join, anchor peers, install and instantiate) as I don't have any error in the logs of my API (used instead of a CLI).
But in the orderer logs, I see this:
2019-09-26 11:38:26.715 UTC [core.comm] ServerHandshake -> ERRO 00f TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.50.129.2:46848
2019-09-26 11:38:26.715 UTC [grpc] handleRawConn -> DEBU 010 grpc: Server.Serve failed to complete security handshake from "10.50.129.2:46848": remote error: tls: bad certificate
and that in the peer logs:
2019-09-26 11:47:26.124 UTC [grpc] createTransport -> DEBU f93 grpc: addrConn.createTransport failed to connect to {orderer-miles-com:7050 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
So the communication between the peers and the orderer does not work. From what I read in this post, it looks as if I had the client TLS activated. So I'm lost because I spent a lot of time trying to solve this but to no avail until now...

In my case, I'm trying to use the CA instead of cryptogen to generate the artifacts. The configuration works well if I use TLS with cryptogen or if I use the CA without TLS on the components

Thank you in advance for your help and I hope I'm clear enough


Re: Raft - Multiple Orderers - LevelDB Error

Nicholas Leonardi
 

Yes of course. Here it is

rca.example:
      container_name: rca.example.com
      image: hyperledger/fabric-ca:1.4.3
      command: sh -c 'fabric-ca-server start -d -b admin:adminpw --port 7054 --cfg.identities.allowremove'
      environment:
         - FABRIC_LOGGING_SPEC=grpc=debug:info        
         - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
         - FABRIC_CA_SERVER_CLIENT=/etc/hyperledger/fabric-ca-client
         - FABRIC_CA_CLIENT_TLS_CERTFILES=/etc/hyperledger/fabric-ca/tls-cert.pem
         - FABRIC_CA_SERVER_TLS_ENABLED=true
         - FABRIC_CA_SERVER_CA_NAME=rca.example.com
         - FABRIC_CA_SERVER_CSR_CN=rca.example.com
         - FABRIC_CA_SERVER_CSR_HOSTS=rca.example.com,192.168.65.89
         - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-key.pem
         - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca/tlsca/rca.example-cert.pem
         - FABRIC_CA_SERVER_DEBUG=true
      volumes:
         - ./exampleCa/:/etc/hyperledger/fabric-ca
         - ./exampleCa/server:/etc/hyperledger/fabric-ca-server
         - ./exampleCa/client:/etc/hyperledger/fabric-ca-client
      ports:
         - 7054:7054
         
  orderer.example.com:
    container_name: orderer.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/
    command: orderer
    ports:
      - 7050:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig:/etc/hyperledger/ordererConfig
    networks:
      - example

  orderer2.example.com:
    container_name: orderer2.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/orderer2
    command: orderer
    ports:
      - 7060:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig2:/etc/hyperledger/ordererConfig2     
    networks:
      - example

  orderer3.example.com:
    container_name: orderer3.example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig    
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/orderer3
    command: orderer
    ports:
      - 7070:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer3.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0.example.com/:/etc/hyperledger/
        - ./ordererConfig3:/etc/hyperledger/ordererConfig3        
    networks:
      - example

  peer0.example.com:
    container_name: peer0.example.com
    image: hyperledger/fabric-peer
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - CORE_PEER_ID=peer0.example.com
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - CORE_PEER_GOSSIP_USELEADERELECTION=false
      - CORE_PEER_GOSSIP_ORGLEADER=true
      - CORE_PEER_PROFILE_ENABLED=true
      - CORE_CHAINCODE_LOGGING_LEVEL=debug
      - CORE_PEER_LOCALMSPID=ExampleMSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peer/users/Admin@.../msp
      - CORE_PEER_ADDRESS=peer0.example.com:7051
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.example.com:7051
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=example_exam
      - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
      - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984
      - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=${COUCH_DB_USERNAME}
      - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=${COUCH_DB_PASSWORD}
      # Enable TLS
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peer/peers/peer0.example.com/tls/ca.crt
    working_dir: /etc/hyperledger/peer
    command: peer node start
    ports:
      - 7051:7051
      - 7053:7053
    volumes:
        - /var/run/:/host/var/run/
        - ./crypto-config/peerOrganizations/:/etc/hyperledger/peer
        - ./crypto-config/peerOrganizations/users:/etc/hyperledger/users
        - ./config:/etc/hyperledger/configtx
    depends_on:
      - orderer.example.com
      - couchdb
    networks:
      - example

  couchdb:
    container_name: couchdb
    image: hyperledger/fabric-couchdb
    environment:
      - COUCHDB_USER=${COUCH_DB_USERNAME}
      - COUCHDB_PASSWORD=${COUCH_DB_PASSWORD}
    ports:
      - 5984:5984
    networks:
      - example

  cli:
    container_name: cli
    image: hyperledger/fabric-tools
    tty: true
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - CORE_PEER_ID=cli
      - CORE_PEER_ADDRESS=peer0.example.com:7051
      - CORE_PEER_LOCALMSPID=ExampleMSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/peerOrganizations/users/Admin@.../msp
      - CORE_CHAINCODE_KEEPALIVE=10
      # Enable TLS
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/peerOrganizations/peers/peer0.example.com/tls/ca.crt
    working_dir: /etc/hyperledger
    command: /bin/bash
    volumes:
        - /var/run/:/host/var/run/
        - ../../../fabric/chaincodes/:/opt/
        - ./crypto-config/:/etc/hyperledger/
        - ./config:/etc/hyperledger/channel-artifacts
    networks:
        - example
    depends_on:
      - orderer.example.com
      - peer0.example.com
      - couchdb



Em quarta-feira, 25 de setembro de 2019 17:52:19 BRT, Gari Singh <garis@...> escreveu:


I think we'd need to see the entire compose file here

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------
 
 

----- Original message -----
From: "Nicholas Leonardi via Lists.Hyperledger.Org" <nlzanutim=yahoo.com@...>
Sent by: fabric@...
To: Nye Liu <nye@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Raft - Multiple Orderers - LevelDB Error
Date: Wed, Sep 25, 2019 4:31 PM
 
I tried that. Same problem. Also, in the fabric samples they use the same working directories. I also noticed they use the same orderer Genesis block for all 3 which I'm also doing.
If I remove the last volume from all 3 I get a "failed to parse config" which in assuming is the configtx.yaml but that also doesn't solve it.
 
On Sep 25, 2019, at 17:06, Nye Liu <nye@...> wrote:
They all need different working directories. They can’t share leveldb files for obvious reasons.
 
On Sep 25, 2019, at 10:30 AM, Nicholas Leonardi via Lists.Hyperledger.Org < nlzanutim=yahoo.com@...> wrote:
 
Hey guys,
I'm trying to deploy 3 orderers on the same organization and machine.
I can't seem to get it working, two orderers gives me this error: 
 
panic: Error opening leveldb: resource temporarily unavailable
 
No idea what I'm doing wrong, I copied pretty much the same schematics 
from the example. Put them as consenters and addresses in the configtx file,
declared them in the docker-compose file as follows 
 orderer2. example.com:
    container_name: orderer2. example.com
    image: hyperledger/fabric-orderer
    environment:
      - FABRIC_LOGGING_SPEC=grpc=debug:info
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - FABRIC_CFG_PATH=/etc/hyperledger/ordererConfig
      # Enable TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
    working_dir: /etc/hyperledger/
    command: orderer
    ports:
      - 7060:7050
    volumes:
        - ./config/:/etc/hyperledger/configtx
        - ./crypto-config/ordererOrganizations/orderers/orderer2.example.com/:/etc/hyperledger/orderer
        - ./crypto-config/peerOrganizations/peers/peer0. example.com/:/etc/hyperledger/
        - ./ordererConfig2:/etc/hyperledger/ordererConfig        
    networks:
      - example
Obviously where there's "orderer2" it's changed to match the three other orderes. I've also 
used fabric-ca to generate they're own identities however it was using the same MSP which 
still shouldn't be a problem.
 
I've tried:
Changing FABRIC_CFG_PATH on each which still shouldn't be a problem cus it's within the containers
Removing the  ./ordererConfig2:/etc/hyperledger/ordererConfig
Adding differente "Volumes:" at the top of the docker-compose file
 
 
 


Re: Mutual TLS Issue #fabric #fabric-ca

Jean-Gaël Dominé <jgdomine@...>
 

Hi,

I'm trying to set up a one way TLS instead of a mutual one. So on my peers and orderer, the flags *_TLS_CLIENTAUTHREQUIRED are all set to false.

When starting the network, everything seems to go well (channel creation, join, anchor peers, install and instantiate) as I don't have any error in the logs of my API (used instead of a CLI).
But in the orderer logs, I see this:
2019-09-26 11:38:26.715 UTC [core.comm] ServerHandshake -> ERRO 00f TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.50.129.2:46848
2019-09-26 11:38:26.715 UTC [grpc] handleRawConn -> DEBU 010 grpc: Server.Serve failed to complete security handshake from "10.50.129.2:46848": remote error: tls: bad certificate
and that in the peer logs:
2019-09-26 11:47:26.124 UTC [grpc] createTransport -> DEBU f93 grpc: addrConn.createTransport failed to connect to {orderer-miles-com:7050 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
So the communication between the peers and the orderer does not work. From what I read in this post, it looks as if I had the client TLS activated. So I'm lost because I spent a lot of time trying to solve this but to no avail until now...

In my case, I'm trying to use the CA instead of cryptogen to generate the artifacts. The configuration works well if I use TLS with cryptogen or if I use the CA without TLS on the components

Thank you in advance for your help and I hope I'm clear enough


Re: "bad certificate" #fabric-ca #fabricca #fabric-questions

Marco Ippolito
 

Hi Nicholas,

the fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

ldap:
  enabled: false


in /etc/postgresql/11/fabmnet/postgresql.conf  :

ssl = on
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

What am I doing wrongly?

Marco


Il giorno gio 26 set 2019 alle ore 12:43 Marco Ippolito <ippolito.marco@...> ha scritto:
Hi Nicholas,
thanks for answering.

I'm trying to follow step-by-step the instructions described here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-server



Il giorno gio 26 set 2019 alle ore 12:30 Nicholas Leonardi <nlzanutim@...> ha scritto:
Please give us more details on what you're trying to do. Are you just starting the server and it gives the error? Are you trying to enroll/register with fabric-ca-client?

On Sep 26, 2019, at 07:17, Marco Ippolito <ippolito.marco@...> wrote:
Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco


Re: "bad certificate" #fabric-ca #fabricca #fabric-questions

Marco Ippolito
 

Hi Nicholas,
thanks for answering.

I'm trying to follow step-by-step the instructions described here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-server



Il giorno gio 26 set 2019 alle ore 12:30 Nicholas Leonardi <nlzanutim@...> ha scritto:
Please give us more details on what you're trying to do. Are you just starting the server and it gives the error? Are you trying to enroll/register with fabric-ca-client?

On Sep 26, 2019, at 07:17, Marco Ippolito <ippolito.marco@...> wrote:
Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco


Re: "bad certificate" #fabric-ca #fabricca #fabric-questions

Nicholas Leonardi
 

Please give us more details on what you're trying to do. Are you just starting the server and it gives the error? Are you trying to enroll/register with fabric-ca-client?

On Sep 26, 2019, at 07:17, Marco Ippolito <ippolito.marco@...> wrote:

Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco


Marco Ippolito
 

Affer removing the previous cert and key files,  I started again the fabric-ca server discovering that new cert and key files were created:
 
(base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw
2019/09/26 11:56:18 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml
2019/09/26 11:56:18 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Server Version: 1.4.4
2019/09/26 11:56:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/26 11:56:18 [WARNING] &{69 The specified CA certificate file /home/marco/fabric/fabric-ca/ca-cert.pem does not exist}
2019/09/26 11:56:18 [INFO] generating key: &{A:ecdsa S:256}
2019/09/26 11:56:18 [INFO] encoded CSR
2019/09/26 11:56:18 [INFO] signed certificate with serial number 542755587310273579559145444277178107021548224556
2019/09/26 11:56:18 [INFO] The CA key and certificate were generated for CA
2019/09/26 11:56:18 [INFO] The key was stored by BCCSP provider 'SW'
2019/09/26 11:56:18 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'fabmnetdb'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'postgres'
2019/09/26 11:56:18 [WARNING] Failed to connect to database 'template1'
2019/09/26 11:56:18 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing
2019/09/26 11:56:18 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca
2019/09/26 11:56:18 [INFO] Operation Server Listening on 127.0.0.1:9443
2019/09/26 11:56:18 [INFO] Listening on http://0.0.0.0:7054
 
but, again, the corresponding log says "bad certificate" :
 
2019-09-26 11:55:04.514 CEST [4837] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.517 CEST [4839] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:55:04.518 CEST [4840] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.967 CEST [4862] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.969 CEST [4865] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate
2019-09-26 11:56:18.971 CEST [4866] [unknown]@[unknown] LOG:  could not accept SSL connection: sslv3 alert bad certificate


 
So..how could it be "bad certificate" if it's just been created brand new by the execution of fabric-ca-server start?

The fabric-ca-server-config.yaml is set as follows:

tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

ca:
  # Name of this CA
  name:
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

db:
  type: postgres
  datasource: host=localhost port=5433 user=fabmnet_admin password=fabmnet1971 dbname=fabmnetdb sslmode=verify-full

Can you please tell me how to correctly configure fabric-ca-server-config.yaml ?

Marco


Upcoming Event: Hyperledger Fabric Quarterly Update Due #tsc-project-update - Thu, 10/03/2019 #tsc-project-update #cal-reminder

fabric@lists.hyperledger.org Calendar <fabric@...>
 

Reminder: Hyperledger Fabric Quarterly Update Due #tsc-project-update

When: Thursday, 3 October 2019

View Event

Organizer: community-architects@...

Description: The Hyperledger Fabric update to the TSC is due 30 September, 2019. Please be sure that someone from the community completes the update and is available to present it to the TSC on 3 October, 2019.


Re: What is the purpose of CORE_PEER_ADDRESS when chaincode is being invoked on multiple peers?

Anil Singh <anil.singh@...>
 

As Will mentioned and I put up earlier, that if you are using CLI 'CORE_PEER_ADDRESS' is where you are executing the command **from**, I get that you don't want any peer to execute any command , But you have to execute the command FROM some peer.

I hope you understand that you need some sort of client (end of the day a peer machine) to fire your invoke command.

Thanks,
Anil


On September 26, 2019 12:12 AM Siddharth Jain <siddjain@...> wrote:


we are using 1.3 of Fabric. The error is similar to that bug although that bug is regarding a CORE_PEER_TLS flag

also see inline. thanks:



From: William T Lahti <wtlahti@...>
Sent: Wednesday, September 25, 2019 11:34 AM
To: siddjain@... <siddjain@...>
Cc: fabric@... <fabric@...>
Subject: RE: [Hyperledger Fabric] What is the purpose of CORE_PEER_ADDRESS when chaincode is being invoked on multiple peers?

Can you clarify which version of Fabric you're using? This appears to be caused by the same bug you reported in  https://jira.hyperledger.org/browse/FAB-15506, which was fixed in v1.4.2. 

In regards to the CORE_PEER_ADDRESS, it's used to specify the peer you want to execute the command (and has nothing to do with the user running the command). 

could you please explain what you mean by above using an example? I am not sure what you mean by  specify the peer you want to execute the command - I don't want any peer to execute any command. We want them to execute chaincode (peer chaincode invoke)

When the --peerAddresses flag is used to provide a list of peers, the CORE_PEER_ADDRESS is ignored. 

If its ignored then why do we need to set it though? If we don't set it we get error - that is the original question in this thread. Is that a bug in Fabric? Did it get fixed in v1.4?

Regards,
Will Lahti

----- Original message -----
From: "Siddharth Jain" <siddjain@...>
Sent by: fabric@...
To: "fabric@..." <fabric@...>, Anil Singh <anil.singh@...>
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] What is the purpose of CORE_PEER_ADDRESS when chaincode is being invoked on multiple peers?
Date: Wed, Sep 25, 2019 12:45 PM
 
Sorry, I have no idea what this means. Some examples would be helpful. As stated in the question we are running the peer chaincode invoke command (say on Joe's machine) to invoke chaincode on remote peers. Since that command takes a list of target peers in the --peerAddresses flag, then what is the use of CORE_PEER_ADDRESS? If we don't specify it, there is an error. Joe is a user. He is not a peer.



From: Anil Singh <anil.singh@...>
Sent: Tuesday, September 24, 2019 10:37 PM
To: Siddharth Jain <siddjain@...>; fabric@... <fabric@...>
Subject: Re: [Hyperledger Fabric] What is the purpose of CORE_PEER_ADDRESS when chaincode is being invoked on multiple peers?

It depends where are you using this.

When used as peer config, this represents the endpoint to other peers in the same organization. For peers in other organization, see
gossip.externalEndpoint for more info.

When used as CLI config, this means the peer's endpoint to interact with

Thanks,
Anil
On September 25, 2019 4:18 AM Siddharth Jain <siddjain@...> wrote:


ping on this as I never received an answer and it has been troubling me for sometime. Is this a bug in Fabric?



Re: how to use the peer chaincode invoke CLI with smart contracts introduced in 1.4

Labib Farag Labib
 

Hello Siddaharth,
you can specify the name of smart contract in command parameter -n 
and
-c as parameter to chaindcode :

peer chaincode invoke -o orderer.example.com:7050 -C mychannel
 -n NAME_OF_CHAIN_CODE --peerAddresses peer0.org1.example.com:7051 --peerAddresses peer0.org2.example.com:9051 -c '{"Args":["invoke","a","b","10"]}'

4681 - 4700 of 11521