|
Re: Hyperledger Fabric Gateway fails with certificate signed by unknown authority but certificates pass an openssl test
#hyperledger-fabric
#tls
#fabric-sdk-go
Yacov
you have an interediate CA but you use AddCert which receives a single certificate object (not a PEM but literally the x509 certificate).
you need to add both root CA and intermediate CA. Easiest is to use AppendCertsFromPEM on the content of the concatenated file.
From: fabric@... <fabric@...> on behalf of afrancoc2000@... <afrancoc2000@...>
Sent: Thursday, February 10, 2022 2:38 PM To: fabric@... <fabric@...> Subject: [EXTERNAL] [Hyperledger Fabric] Hyperledger Fabric Gateway fails with certificate signed by unknown authority but certificates pass an openssl test #hyperledger-fabric #tls #fabric-sdk-go Hi Team, I'm having trouble making the "Hyperledger Fabric Gateway
for Go" execute a smart contract, although I am using it successfully for listening to events. This is the error I get in the client: Submit error with gRPC status DeadlineExceeded:
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
Hi Team, I'm having trouble making the "Hyperledger Fabric Gateway for Go" execute a smart contract, although I am using it successfully for listening to events. This is the error I get in the client: Submit error with gRPC status DeadlineExceeded: rpc error: code = DeadlineExceeded desc = context deadline exceeded This is the error I get in the orderer: Server TLS handshake failed in 2.628549ms with error remote error: tls: bad certificate server=Orderer remoteaddress=10.250.37.115:40858 This is the error I get in the peer: Client TLS handshake failed after 6.156747ms with error: x509: certificate signed by unknown authority remoteaddress=10.250.37.195:443 The IP 10.250.37.195 corresponds to the ingress service external IP and the 10.250.37.115 corresponds to the ingress controller. The ingress controller has ssl-passtrough configured so the certificates are not being overridden by it. I'm using a chain certificate that begins with an ica cert and then on the same file the root certificate, this chain.crt file is stored in the orderers in this folder: "/var/hyperledger/orderer/tls/chain.crt" both ORDERER_GENERAL_TLS_ROOTCAS and ORDERER_GENERAL_TLS_CLIENTROOTCAS point to it. I tested my tls certificate against the chain.crt using openssl and the answer is ok. I'm not sure where else to look to make it work. I tested my code against the test network and it works, also using the old node SDK the connection works too. This is my code (deleting err handling for readability): func NewGrpcConnection(fabricConfig config.FabricConfig) (*grpc.ClientConn,
error) {
caCertificate,
err := loadCertificate(fabricConfig.TlsCaPath)
keypair, err :=
loadCertificateKeyPair(fabricConfig.TlsCertPath, fabricConfig.TlsKeyPath)
certPool := x509.NewCertPool() certPool.AddCert(caCertificate)
transportCredentials := credentials.NewTLS(&tls.Config{
ServerName: fabricConfig.HostName,
RootCAs: certPool,
ClientCAs: certPool,
Certificates: []tls.Certificate{*keypair},
})
connection,
err := grpc.Dial(fabricConfig.PeerEndpoint, grpc.WithTransportCredentials(transportCredentials))
return connection,
nil
}
func NewGateway(clientConnection *grpc.ClientConn, fabricConfig config.FabricConfig) (*client.Gateway,
error) {
id, err :=
newIdentity(fabricConfig.CertPath, fabricConfig.OrgName)
sign, err :=
newSign(fabricConfig.KeyPath)
gateway,
err := client.Connect(
id,
client.WithSign(sign),
client.WithClientConnection(clientConnection),
client.WithEvaluateTimeout(5*time.Second),
client.WithEndorseTimeout(15*time.Second),
client.WithSubmitTimeout(5*time.Second),
client.WithCommitStatusTimeout(1*time.Minute),
)
return gateway, err
}
func main() {
grpcConnection,
err := fabric.NewGrpcConnection(*clientConfig.FabricConfig)
defer grpcConnection.Close()
gateway, err := fabric.NewGateway(grpcConnection, *clientConfig.FabricConfig)
defer gateway.Close()
network := gateway.GetNetwork(clientConfig.FabricConfig.ChannelName)
contract := network.GetContract(clientConfig.FabricConfig.ContractName)
result, err = contract.SubmitTransaction(request.Fcn, request.Args...)
}
I tried also overiding the pod's ssl certificates by adding the ca certificates to /usr/local/share/ca-certificates/ and using the update-ca-certificates command with no luck. What am I doing wrong? Any ideas where else to look? do I need to add the tls-root and ica certificates to the msp folder under msp/tlscacerts and msp/tlsintermediatecerts too? I have FABRIC_LOGGING_SPEC="grpc=debug:info" is there a way to see what certificate is comming in for validation? Thanks, Ana Franco Tech Leader |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Waiting on Approving Smart Contract for org Org1MSP
Ahmet Orkun Gedik
Hello,
I faced with a problem during deployment of smart contract on my local machine. I setup a basic 1 org local fabric scenario. When I try to deploy smart contract, system waiting at IBM Blockchain Platform Extension: Approving Smart Contract for org Org1MSP task and never complete it. There are no any kind of error in both docker and vscode output log files. What may cause this problem?
Thank you for you co-operation.
Saygılarımla/Best regards/Mit freundlichen Grüßen,
This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain confidential information. If you are not the intended recipient of this message or you receive this mail in error, you should refrain from making any use of the contents and from opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the presence of computer viruses. In doing so, however, sender cannot warrant that virus or other forms of data corruption may not be present and do not take any responsibility in any occurrence. |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Fab3 setup with EVM Chaincode
Gourav Sarkar <gourav.sarkar@...>
Hi,
I was trying to build the fab proxy with EVM chaincode. I followed the link below. However, I got the error as mentioned in the below screenshot (I used Fabric-1.4.7). Did anyone face this issue or am I missing something ?
https://github.com/IBM/loyalty-points-evm-fabric/blob/master/README.md#2-setup-fab3
Warm Regards, Gourav.
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: Issue updating TLS certificates for Raft Consenters
#consensus
#configtxgen
#fabric-orderer
afrancoc2000@...
Hi Yacov,
Thanks, I saw the commits with that change so I tried that first, I generated the new certs using the same private keys and uploaded them without changing the configuration but I don't know why, it didn't work, the orderers didn't start. That's why I'm changing the config. I just tried downgrading to v2.3, and forcing GODEBUG=x509ignoreCN=0 by running the orderer command like this: "GODEBUG="x509ignoreCN=0 orderer" and it worked! now I've got consensus and I'm updating the config again. Thanks! Ana |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Hyperledger Fabric Gateway fails with certificate signed by unknown authority but certificates pass an openssl test
#hyperledger-fabric
#tls
#fabric-sdk-go
afrancoc2000@...
Hi Team,
I'm having trouble making the "Hyperledger Fabric Gateway for Go" execute a smart contract, although I am using it successfully for listening to events. This is the error I get in the client: Submit error with gRPC status DeadlineExceeded: rpc error: code = DeadlineExceeded desc = context deadline exceeded This is the error I get in the orderer: Server TLS handshake failed in 2.628549ms with error remote error: tls: bad certificate server=Orderer remoteaddress=10.250.37.115:40858 This is the error I get in the peer: Client TLS handshake failed after 6.156747ms with error: x509: certificate signed by unknown authority remoteaddress=10.250.37.195:443 The IP 10.250.37.195 corresponds to the ingress service external IP and the 10.250.37.115 corresponds to the ingress controller. The ingress controller has ssl-passtrough configured so the certificates are not being overridden by it. I'm using a chain certificate that begins with an ica cert and then on the same file the root certificate, this chain.crt file is stored in the orderers in this folder: "/var/hyperledger/orderer/tls/chain.crt" both ORDERER_GENERAL_TLS_ROOTCAS and ORDERER_GENERAL_TLS_CLIENTROOTCAS point to it. I tested my tls certificate against the chain.crt using openssl and the answer is ok. I'm not sure where else to look to make it work. I tested my code against the test network and it works, also using the old node SDK the connection works too. This is my code (deleting err handling for readability): func NewGrpcConnection(fabricConfig config.FabricConfig) (*grpc.ClientConn, error) {
caCertificate, err := loadCertificate(fabricConfig.TlsCaPath)
keypair, err := loadCertificateKeyPair(fabricConfig.TlsCertPath, fabricConfig.TlsKeyPath)
certPool := x509.NewCertPool() certPool.AddCert(caCertificate)
transportCredentials := credentials.NewTLS(&tls.Config{
ServerName: fabricConfig.HostName,
RootCAs: certPool,
ClientCAs: certPool,
Certificates: []tls.Certificate{*keypair},
})
connection, err := grpc.Dial(fabricConfig.PeerEndpoint, grpc.WithTransportCredentials(transportCredentials))
return connection, nil
}
func NewGateway(clientConnection *grpc.ClientConn, fabricConfig config.FabricConfig) (*client.Gateway, error) {
id, err := newIdentity(fabricConfig.CertPath, fabricConfig.OrgName)
sign, err := newSign(fabricConfig.KeyPath)
gateway, err := client.Connect(
id,
client.WithSign(sign),
client.WithClientConnection(clientConnection),
client.WithEvaluateTimeout(5*time.Second),
client.WithEndorseTimeout(15*time.Second),
client.WithSubmitTimeout(5*time.Second),
client.WithCommitStatusTimeout(1*time.Minute),
)
return gateway, err
}
func main() {
grpcConnection, err := fabric.NewGrpcConnection(*clientConfig.FabricConfig)
defer grpcConnection.Close()
gateway, err := fabric.NewGateway(grpcConnection, *clientConfig.FabricConfig)
defer gateway.Close()
network := gateway.GetNetwork(clientConfig.FabricConfig.ChannelName)
contract := network.GetContract(clientConfig.FabricConfig.ContractName)
result, err = contract.SubmitTransaction(request.Fcn, request.Args...) }
I tried also overiding the pod's ssl certificates by adding the ca certificates to /usr/local/share/ca-certificates/ and using the update-ca-certificates command with no luck. What am I doing wrong? Any ideas where else to look? do I need to add the tls-root and ica certificates to the msp folder under msp/tlscacerts and msp/tlsintermediatecerts too? I have FABRIC_LOGGING_SPEC="grpc=debug:info" is there a way to see what certificate is comming in for validation? Thanks, Ana Franco Tech Leader |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
how core peer address works
Nikos Karamolegkos
Hello, I am studying the examples of fabric-sdk-go and I am wondering how the connection to the desired peer is taking place in order to invoke a transaction or query the ledger. When I use the fabric CLI I set the CORE_PEER_ADDRESS to the desired one (as the test-network tutorial suggests). Thus, in case I would like to use the fabric-sdk-go I have seen that in this point the address is set. Is this the only parameter that I have to set in order for example to query the ledger using the peer0? Also, I am a bit confused about the peer discovery, the peers are running in containers and the end_to_end.go program is running locally to my host so how the end_to_end.go knows where the peer is running (i.e in the container)? Is it enough to set the "peer0.org1.example.com". Also, what happens if the peers are running in different pods of kubernetes? What should I change to my end_to_end.go program? Thanks, -- Nikos Karamolegkos R & D engineer at ICS-FORTH Telecommunications and Networks Lab (TNL) |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Documentation Workgroup restarting
Hello Fabric docs team,
The Documentation Workgroup meetings are restarting this Friday February 11, at 11:00 a.m. EST. The meetings are scheduled for 11-12 EST every 4th Friday.
i.e. monthly more or less, and can add as needed.
This week will be a kickoff meeting of sorts, bring any and all topics for discussion.
The agenda is available at
https://wiki.hyperledger.org/display/fabric/2022+02+11+DWG+Agenda
Regards,
Josh Horton
joshh@...
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: Issue updating TLS certificates for Raft Consenters
#consensus
#configtxgen
#fabric-orderer
Yacov
Can't you just issue the certificate with the same public key but with SANs?
You don't need to do the config update if the public key of the TLS certificate stays the same.
You can just change the certificate and that's it.
From: fabric@... <fabric@...> on behalf of afrancoc2000@... <afrancoc2000@...>
Sent: Wednesday, February 9, 2022 12:01 AM To: fabric@... <fabric@...> Subject: [EXTERNAL] [Hyperledger Fabric] Issue updating TLS certificates for Raft Consenters #consensus #configtxgen #fabric-orderer Hi, I'm having trouble updating the TLS certificates for my blockchain's
orderers, when I created my certificates, I was using hlf v1.4, golang 1.14 and SANs wasn't enforced, now I have upgraded my blockchain to v2.4 and updated the certificates
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
Hi, I'm having trouble updating the TLS certificates for my blockchain's orderers, when I created my certificates, I was using hlf v1.4, golang 1.14 and SANs wasn't enforced, now I have upgraded my blockchain to v2.4 and updated the certificates to include SANs but as the configuration doesn't allow to update both consenters at the same time I updated orderer1 and left orderer2 unchanged and now they are running but they don't reach consensus. Orderer 1 is saying the certificate is wrong because SANs is missing and even though I added the GODEBUG="netdns=go,x509ignoreCN=0" environment variable I'm still getting the error and without consensus I cannot change the second certificate. Another issue I ran into is that I also had to update the ca intermediate certificate, so I'm setting the orderers properties like this: Orderer1 (updated certificate): ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt Orderer1 (old certificate): ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt Is there another way to bypass SANs verification? I downgraded both orderers to v2.3 with no luck, or how could I revert the changes in the configuration? and restore my old configtx, and try to change both certificates at once? Thank you very much Ana Maria Franco Tech Leader - Ceiba Software |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Issue updating TLS certificates for Raft Consenters
#consensus
#configtxgen
#fabric-orderer
afrancoc2000@...
Hi,
I'm having trouble updating the TLS certificates for my blockchain's orderers, when I created my certificates, I was using hlf v1.4, golang 1.14 and SANs wasn't enforced, now I have upgraded my blockchain to v2.4 and updated the certificates to include SANs but as the configuration doesn't allow to update both consenters at the same time I updated orderer1 and left orderer2 unchanged and now they are running but they don't reach consensus. Orderer 1 is saying the certificate is wrong because SANs is missing and even though I added the GODEBUG="netdns=go,x509ignoreCN=0" environment variable I'm still getting the error and without consensus I cannot change the second certificate. Another issue I ran into is that I also had to update the ca intermediate certificate, so I'm setting the orderers properties like this: Orderer1 (updated certificate): ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt Orderer1 (old certificate): ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt Is there another way to bypass SANs verification? I downgraded both orderers to v2.3 with no luck, or how could I revert the changes in the configuration? and restore my old configtx, and try to change both certificates at once? Thank you very much Ana Maria Franco Tech Leader - Ceiba Software |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Now: Private Chaincode Lab - 02/08/2022
#cal-notice
fabric@lists.hyperledger.org Calendar <noreply@...>
Private Chaincode Lab When: Where: Organizer: Marcus Brandenburger bur@... Description: |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: could you please unsubscribe me from this list - thanks
Mark Lewis
You should be able to unsubscribe yourself at https://lists.hyperledger.org/g/fabric/editsub
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: chaincode invoke is succesful but i can't see database and data into couchdb
#fabric-questions
pavon@...
Hello, Kumari: A few things I would like to run by you: 1. Did you expose Port 5984? In general, CouchDB databases are configured by default to NOT expose that port to the outside world. If you want to see your data in Futon, you would have to expose the port using port mapping or another method. For example, if your database is in a Docker container, you would have to expose the port by typing in
...where f6b23... is the container ID for Docker. 2. In your CLI, when you run
...do you see a list of the default databases and yours you created in JSON format? Or do you see just the default ones (like replicator and users, for example)? 3. Did you make yourself an admin in CouchDB by adding your credentials in the local.ini file CouchDB provides upon installation?
Just a few things to consider. Good luck. Pavon
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
chaincode invoke is succesful but i can't see database and data into couchdb
#fabric-questions
Kumari Shweta
Hi Team,
I have hlf2.2 setup(3 orgs).all orgs are on three different ec2 instances.
As per my requirement ,2 orgs should be required for endorsement.so i have customized endorsement policy in configtx
(lifecycle endorsement and applicaiton endorsement).
LifecycleEndorsement:
Type: Signature
Rule: AND('Org1MSP.peer','Org2MSP.peer',,'Org3MSP.peer')
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Chaincode invoke is succesful but not able to see database and data in couchdb.
while from cli, i can see data.
Any suggestion on endorsement.Pls let me correct.
Regards,
Shweta
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: Hyperledger Explorer Block Counting Issue
#blockchain-explorer
All hlf operations are stored on the ledger. Including "system" chaincodes (escc, vscc, lscc _lifecycle) responsible of network orquestration. Kind regards. David Em dom., 6 de fev. de 2022 13:03, <asaduzzaman.rakib.10@...> escreveu:
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Hyperledger Explorer Block Counting Issue
#blockchain-explorer
asaduzzaman.rakib.10@...
I have an issue regarding blockchain explorer which I can't understand.
If you look at the screenshot, there are 14 blocks created so far. When a channel is created then 3 blocks, 3 transactions, 2 nodes are created, Then after invoking chaincode, there are 7 blocks, 7 transactions, 2 nodes and 1 chaincode. So total according to my calculation is 10 blocks, 10 transactions, 2 nodes and 1 chaincode, but I received 11 blocks, 11 transactions, 2 nodes and 2 chaincode [For updating smart contract according to the official documentation of HLF]
After making 3 further invocation it resulted 14 blocks, 14 transactions, 2 nodes and 2 chaincode.
Can anyone please explain what mistake I made during counting?
 |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
could you please unsubscribe me from this list - thanks
Annegret Warnecke
many thanks
Annegret Warnecke
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: HYPERLEDGER FABRIC CERTIFICATE EXPIRED ERROR
#fabric
#fabric-peer
#fabric-orderer
#fabric-ca
#fabricca
Just in case if this helps: Regards, Satheesh
On Friday, February 4, 2022, 08:16:11 PM GMT+5:30, mohana.a@... <mohana.a@...> wrote:
Hi, I had set up a hyperledger fabric network (v1.4.2) with few orgs a year back in a kubernetes cluster using Hyperledger Bevel. Each org has its own CA and TLSCA servers running with TLS enabled. The age of the pods are about 365 days. Peer and orderer pods are in crashloopbackoff state because the Fabric-CA certificates got expired. We tried creating a configmap for fabric-ca-server and configured the file fabric-ca-server-config.yaml with 131400h as expiring duration but it didnot work.
The peer pods are crashing with the following error,
"Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: signing identity expired 24h ago"
Can some one tell me how do i renew certificates or solve this issue and what are the changes to be done to the existing Channel and chaincodes. Thanks in advance.
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
HYPERLEDGER FABRIC CERTIFICATE EXPIRED ERROR
#fabric
#fabric-peer
#fabric-orderer
#fabric-ca
#fabricca
mohana.a@...
Hi, I had set up a hyperledger fabric network (v1.4.2) with few orgs a year back in a kubernetes cluster using Hyperledger Bevel. Each org has its own CA and TLSCA servers running with TLS enabled. The age of the pods are about 365 days. Peer and orderer pods are in crashloopbackoff state because the Fabric-CA certificates got expired. We tried creating a configmap for fabric-ca-server and configured the file fabric-ca-server-config.yaml with 131400h as expiring duration but it didnot work.
The peer pods are crashing with the following error,
"Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: signing identity expired 24h ago"
Can some one tell me how do i renew certificates or solve this issue and what are the changes to be done to the existing Channel and chaincodes. Thanks in advance.
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Re: Experiencing issues when generating genesis block
Hi Musonda, how are you, I hope you are well. I can ´t help you directly because I do not use Windows to run and develop using Hyperledger Fabric Platform. But I may suggest you to use the following configuration:
My host machine is a Lenovo laptop with Windows 10 and by using Vagrant my Windows stays clean and I have a lot of options to provision my vagrant box to simulate a lot of environments (Ex.: multiple networks interfaces to simulate different orgs networks and etc). Your logs show that you are using 2.4.1 hyperledger docker images. My best regards, David Em qui., 3 de fev. de 2022 às 00:34, musonda yese <musondayese@...> escreveu:
--
David Reis |
||||||||||||||||||||
|
|
||||||||||||||||||||
|
Event: Hyperledger Fabric documentation contributor calls
#cal-invite
fabric@lists.hyperledger.org Calendar <noreply@...>
Hyperledger Fabric documentation contributor calls When: Where: Description: |
||||||||||||||||||||
|
|
||||||||||||||||||||
