Registering a user with Fabric CA - Authentication failure #fabricca #fabric


Prasanth Sundaravelu
 

Hi guys, 

I have a fabric-ca container and orderer container. 

First I started up container and ran this:

FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
FABRIC_CA_SERVER_CSR_CN=rca-orderer
FABRIC_CA_SERVER_CSR_HOSTS=rca-orderer


# Initialize the root CA
fabric-ca-server init -b $BOOTSTRAP_USER_PASS
######################### ^^ Careful about this variable, setup-fabric script isnt generic

# Copy ca cert into shared dir
cp $FABRIC_CA_SERVER_HOME/ca-cert.pem /data/ca-certs/rca-orderer.pem

# Add custom orgs:

aff="orderer: []\n org1: []\n org2: []"

aff="${aff#\\n }"

sed -i "/affiliations:/a \\ $aff" \
$FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml


# Start the root CA
fabric-ca-server start



It started successfully.

Then I opened up orderer container and ran this:

export FABRIC_CA_CLIENT_HOME=$HOME/ca-admins/rca-orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/data/ca-certs/rca-orderer.pem
fabric-ca-client enroll -d -u https://rca-orderer-admin:adminpw@rca-orderer:7054
ORDERER_NAME=orderer0
ORDERER_PASS=adminpw
fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer


The enroll command worked as expected, returned files.
But, when running register command, I get this:

root@cdf725a29b71:/# fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer

2019/03/01 10:56:51 [DEBUG] Set log level:

2019/03/01 10:56:51 [DEBUG] Home directory: /root/ca-admins/rca-orderer

2019/03/01 10:56:51 [INFO] Configuration file location: /root/ca-admins/rca-orderer/fabric-ca-client-config.yaml

2019/03/01 10:56:51 [DEBUG] Checking for enrollment

2019/03/01 10:56:51 [DEBUG] Initializing client with config: &{URL:https://rca-orderer:7054 MSPDir:msp TLS:{Enabled:true CertFiles:[/data/ca-certs/rca-orderer.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:rca-orderer-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[cdf725a29b71] KeyRequest:0xc000338e80 CA:<nil> SerialNumber:} ID:{Name:orderer0 Type:orderer Secret:adminpw MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc0003386a0 Debug:true LogLevel:}

2019/03/01 10:56:51 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0002ca7c0 PluginOpts:<nil>}

2019/03/01 10:56:51 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc000463e90 DummyKeystore:<nil> InmemKeystore:<nil>}

2019/03/01 10:56:51 [INFO] TLS Enabled

2019/03/01 10:56:51 [DEBUG] CA Files: [/data/ca-certs/rca-orderer.pem]

2019/03/01 10:56:51 [DEBUG] Client Cert File:

2019/03/01 10:56:51 [DEBUG] Client Key File:

2019/03/01 10:56:51 [DEBUG] Client TLS certificate and/or key file not provided

2019/03/01 10:56:51 [DEBUG] CheckIdemixEnrollment - ipkFile: /root/ca-admins/rca-orderer/msp/IssuerPublicKey, idemixCredFrile: /root/ca-admins/rca-orderer/msp/user/SignerConfig

2019/03/01 10:56:51 [DEBUG] Client configuration settings: &{URL:https://rca-orderer:7054 MSPDir:/root/ca-admins/rca-orderer/msp TLS:{Enabled:true CertFiles:[/data/ca-certs/rca-orderer.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:rca-orderer-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[cdf725a29b71] KeyRequest:0xc000338e80 CA:<nil> SerialNumber:} ID:{Name:orderer0 Type:orderer Secret:adminpw MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc0003386a0 Debug:true LogLevel:}

2019/03/01 10:56:51 [DEBUG] Entered runRegister

2019/03/01 10:56:51 [DEBUG] Initializing client with config: &{URL:https://rca-orderer:7054 MSPDir:/root/ca-admins/rca-orderer/msp TLS:{Enabled:true CertFiles:[/data/ca-certs/rca-orderer.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:rca-orderer-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[cdf725a29b71] KeyRequest:0xc000338e80 CA:<nil> SerialNumber:} ID:{Name:orderer0 Type:orderer Secret:adminpw MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc0003386a0 Debug:true LogLevel:}

2019/03/01 10:56:51 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0002ca7c0 PluginOpts:<nil>}

2019/03/01 10:56:51 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc000463e90 DummyKeystore:<nil> InmemKeystore:<nil>}

2019/03/01 10:56:51 [INFO] TLS Enabled

2019/03/01 10:56:51 [DEBUG] CA Files: [/data/ca-certs/rca-orderer.pem]

2019/03/01 10:56:51 [DEBUG] Client Cert File:

2019/03/01 10:56:51 [DEBUG] Client Key File:

2019/03/01 10:56:51 [DEBUG] Client TLS certificate and/or key file not provided

2019/03/01 10:56:51 [DEBUG] Loading identity: keyFile=/root/ca-admins/rca-orderer/msp/keystore/key.pem, certFile=/root/ca-admins/rca-orderer/msp/signcerts/cert.pem

2019/03/01 10:56:51 [DEBUG] No credential found at /root/ca-admins/rca-orderer/msp/user/SignerConfig: open /root/ca-admins/rca-orderer/msp/user/SignerConfig: no such file or directory

2019/03/01 10:56:51 [DEBUG] No Idemix credential found at /root/ca-admins/rca-orderer/msp/user/SignerConfig

2019/03/01 10:56:51 [DEBUG] Register { Name:orderer0 Type:orderer Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName:  }

2019/03/01 10:56:51 [DEBUG] Adding token-based authorization header

2019/03/01 10:56:51 [DEBUG] Sending request

POST https://rca-orderer:7054/register

{"id":"orderer0","type":"orderer","secret":"adminpw","affiliation":""}

2019/03/01 10:56:51 [DEBUG] Received response

statusCode=401 (401 Unauthorized)

Error: Response from server: Error Code: 20 - Authentication failure

This is the log from CA:

2019/03/01 10:55:07 [INFO] 172.21.0.5:34992 POST /enroll 201 0 "OK"
2019/03/01 10:55:09 [DEBUG] Received request for /register
2019/03/01 10:55:09 [DEBUG] Caller is using a x509 certificate
2019/03/01 10:55:09 [INFO] 172.21.0.5:34994 POST /register 401 25 "Invalid token in authorization header: Token signature validation failed"

Any help really appreciated. Thanks.
 


Gari Singh <garis@...>
 

You need to enroll an ID with the fabric-ca which has the ability to register users.
You'll then need to register the the ID you want to use for your orderer using that ID.
Then you would use the enroll command in your orderer container (not register).

Check out https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#registering-a-new-identity


-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: fabric@...
From: "Prasanth Sundaravelu"
Sent by: fabric@...
Date: 03/01/2019 06:09AM
Subject: [Hyperledger Fabric] Registering a user with Fabric CA - Authentication failure #fabricca #fabric

Hi guys,

I have a fabric-ca container and orderer container.
First I started up container and ran this:


FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
FABRIC_CA_SERVER_CSR_CN=rca-orderer
FABRIC_CA_SERVER_CSR_HOSTS=rca-orderer


# Initialize the root CA
fabric-ca-server init -b $BOOTSTRAP_USER_PASS
######################### ^^ Careful about this variable, setup-fabric script isnt generic

# Copy ca cert into shared dir
cp $FABRIC_CA_SERVER_HOME/ca-cert.pem /data/ca-certs/rca-orderer.pem

# Add custom orgs:

aff="orderer: []\n org1: []\n org2: []"

aff="${aff#\\n }"

sed -i "/affiliations:/a \\ $aff" \
$FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml


# Start the root CA
fabric-ca-server start


It started successfully.

Then I opened up orderer container and ran this:


export FABRIC_CA_CLIENT_HOME=$HOME/ca-admins/rca-orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/data/ca-certs/rca-orderer.pem
fabric-ca-client enroll -d -u https://rca-orderer-admin:adminpw@rca-orderer:7054
ORDERER_NAME=orderer0
ORDERER_PASS=adminpw
fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer
The enroll command worked as expected, returned files.
But, when running register command, I get this:

root@cdf725a29b71:/# fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer
2019/03/01 10:56:51 [DEBUG] Set log level:
2019/03/01 10:56:51 [DEBUG] Home directory: /root/ca-admins/rca-orderer
2019/03/01 10:56:51 [INFO] Configuration file location: /root/ca-admins/rca-orderer/fabric-ca-client-config.yaml
2019/03/01 10:56:51 [DEBUG] Checking for enrollment
2019/03/01 10:56:51 [DEBUG] Initializing client with config: &{URL:https://rca-orderer:7054 MSPDir:msp TLS:{Enabled:true CertFiles:[/data/ca-certs/rca-orderer.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 } CSR:{CN:rca-orderer-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[cdf725a29b71] KeyRequest:0xc000338e80 CA:<nil> SerialNumber:} ID:{Name:orderer0 Type:orderer Secret:adminpw MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc0003386a0 Debug:true LogLevel:}
2019/03/01 10:56:51 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0002ca7c0 PluginOpts:<nil>}
2019/03/01 10:56:51 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc000463e90 DummyKeystore:<nil> InmemKeystore:<nil>}
2019/03/01 10:56:51 [INFO] TLS Enabled
2019/03/01 10:56:51 [DEBUG] CA Files: [/data/ca-certs/rca-orderer.pem]
2019/03/01 10:56:51 [DEBUG] Client Cert File:
2019/03/01 10:56:51 [DEBUG] Client Key File:
2019/03/01 10:56:51 [DEBUG] Client TLS certificate and/or key file not provided
2019/03/01 10:56:51 [DEBUG] CheckIdemixEnrollment - ipkFile: /root/ca-admins/rca-orderer/msp/IssuerPublicKey, idemixCredFrile: /root/ca-admins/rca-orderer/msp/user/SignerConfig
2019/03/01 10:56:51 [DEBUG] Client configuration settings: &{URL:https://rca-orderer:7054 MSPDir:/root/ca-admins/rca-orderer/msp TLS:{Enabled:true CertFiles:[/data/ca-certs/rca-orderer.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 } CSR:{CN:rca-orderer-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[cdf725a29b71] KeyRequest:0xc000338e80 CA:<nil> SerialNumber:} ID:{Name:orderer0 Type:orderer Secret:adminpw MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc0003386a0 Debug:true LogLevel:}
2019/03/01 10:56:51 [DEBUG] Entered runRegister
2019/03/01 10:56:51 [DEBUG] Initializing client with config: &{URL:https://rca-orderer:7054 MSPDir:/root/ca-admins/rca-orderer/msp TLS:{Enabled:true CertFiles:[/data/ca-certs/rca-orderer.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 } CSR:{CN:rca-orderer-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[cdf725a29b71] KeyRequest:0xc000338e80 CA:<nil> SerialNumber:} ID:{Name:orderer0 Type:orderer Secret:adminpw MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc0003386a0 Debug:true LogLevel:}
2019/03/01 10:56:51 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0002ca7c0 PluginOpts:<nil>}
2019/03/01 10:56:51 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc000463e90 DummyKeystore:<nil> InmemKeystore:<nil>}
2019/03/01 10:56:51 [INFO] TLS Enabled
2019/03/01 10:56:51 [DEBUG] CA Files: [/data/ca-certs/rca-orderer.pem]
2019/03/01 10:56:51 [DEBUG] Client Cert File:
2019/03/01 10:56:51 [DEBUG] Client Key File:
2019/03/01 10:56:51 [DEBUG] Client TLS certificate and/or key file not provided
2019/03/01 10:56:51 [DEBUG] Loading identity: keyFile=/root/ca-admins/rca-orderer/msp/keystore/key.pem, certFile=/root/ca-admins/rca-orderer/msp/signcerts/cert.pem
2019/03/01 10:56:51 [DEBUG] No credential found at /root/ca-admins/rca-orderer/msp/user/SignerConfig: open /root/ca-admins/rca-orderer/msp/user/SignerConfig: no such file or directory
2019/03/01 10:56:51 [DEBUG] No Idemix credential found at /root/ca-admins/rca-orderer/msp/user/SignerConfig
2019/03/01 10:56:51 [DEBUG] Register { Name:orderer0 Type:orderer Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName: }
2019/03/01 10:56:51 [DEBUG] Adding token-based authorization header
2019/03/01 10:56:51 [DEBUG] Sending request
POST https://rca-orderer:7054/register
{"id":"orderer0","type":"orderer","secret":"adminpw","affiliation":""}
2019/03/01 10:56:51 [DEBUG] Received response
statusCode=401 (401 Unauthorized)
Error: Response from server: Error Code: 20 - Authentication failure
This is the log from CA:


2019/03/01 10:55:07 [INFO] 172.21.0.5:34992 POST /enroll 201 0 "OK"
2019/03/01 10:55:09 [DEBUG] Received request for /register
2019/03/01 10:55:09 [DEBUG] Caller is using a x509 certificate
2019/03/01 10:55:09 [INFO] 172.21.0.5:34994 POST /register 401 25 "Invalid token in authorization header: Token signature validation failed"

Any help really appreciated. Thanks.


Prasanth Sundaravelu
 

Hi Gari,

Thanks for reply. I am aware of that and also came to know that by default, the bootstrap user and pass is already configured with hf.registrar attribute set to "*". 

I've also found out the problem. Turned out that my VM's local images were old and fabric-ca:latest pointed to v 1.2. I fixed it by pulling the latest image.

Thanks,
Prasanth