Hello,
Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ? I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:
2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
E0327 16:57:10.541763890 7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
thank you
Nik
|
|
Hi Nick,
The error message clearly says that the server (peer) did not receive the correct client certificate. I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly- CORE_PEER_TLS_CLIENTROOTCAS_FILES = CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.
You have to assign these certificates to client instance as well. I prefer to do it this way.
I would have used curl to verify 2way tls authentication configuration, if it was https. curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog, could be of some help.
toggle quoted messageShow quoted text
On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza < nfrunza@...> wrote: Hello,
Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ? I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:
2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
E0327 16:57:10.541763890 7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
thank you
Nik
|
|
Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.
Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
toggle quoted messageShow quoted text
Hi Nick,
The error message clearly says that the server (peer) did not receive the correct client certificate. I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly- CORE_PEER_TLS_CLIENTROOTCAS_FILES = CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.
You have to assign these certificates to client instance as well. I prefer to do it this way.
I would have used curl to verify 2way tls authentication configuration, if it was https. curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog, could be of some help.
On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza < nfrunza@...> wrote: Hello,
Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ? I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:
2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
E0327 16:57:10.541763890 7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
thank you
Nik
|
|
Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
toggle quoted messageShow quoted text
On Thu, Mar 28, 2019 at 8:33 AM Nick Frunza < nfrunza@...> wrote: Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.
Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
Hi Nick,
The error message clearly says that the server (peer) did not receive the correct client certificate. I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly- CORE_PEER_TLS_CLIENTROOTCAS_FILES = CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.
You have to assign these certificates to client instance as well. I prefer to do it this way.
I would have used curl to verify 2way tls authentication configuration, if it was https. curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog, could be of some help.
On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza < nfrunza@...> wrote: Hello,
Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ? I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:
2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
E0327 16:57:10.541763890 7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
thank you
Nik
--
|
|
Hi Nick,
Client certificates need not to be issued by fabric ca. You can generate self signed CA + client certificate using open ssl. Here is a nice explanation:
Below configuration ensure that the self signed CA cert & other certificates issued by this CA are trusted by the peer. CORE_PEER_TLS_CLIENTROOTCAS_FILES = Self signed CA certificate
toggle quoted messageShow quoted text
On Thu 28 Mar, 2019, 4:34 PM Nick Frunza, < nfrunza@...> wrote: Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
On Thu, Mar 28, 2019 at 8:33 AM Nick Frunza < nfrunza@...> wrote: Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.
Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
Hi Nick,
The error message clearly says that the server (peer) did not receive the correct client certificate. I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly- CORE_PEER_TLS_CLIENTROOTCAS_FILES = CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.
You have to assign these certificates to client instance as well. I prefer to do it this way.
I would have used curl to verify 2way tls authentication configuration, if it was https. curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog, could be of some help.
On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza < nfrunza@...> wrote: Hello,
Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ? I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:
2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
E0327 16:57:10.541763890 7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
thank you
Nik
--
--
|
|
toggle quoted messageShow quoted text
Hi Nick,
Client certificates need not to be issued by fabric ca. You can generate self signed CA + client certificate using open ssl. Here is a nice explanation:
Below configuration ensure that the self signed CA cert & other certificates issued by this CA are trusted by the peer. CORE_PEER_TLS_CLIENTROOTCAS_FILES = Self signed CA certificate
On Thu 28 Mar, 2019, 4:34 PM Nick Frunza, < nfrunza@...> wrote: Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
On Thu, Mar 28, 2019 at 8:33 AM Nick Frunza < nfrunza@...> wrote: Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.
Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered? it is not clear, and what type of tools we can use to generate both.
nik
Hi Nick,
The error message clearly says that the server (peer) did not receive the correct client certificate. I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly- CORE_PEER_TLS_CLIENTROOTCAS_FILES = CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.
You have to assign these certificates to client instance as well. I prefer to do it this way.
I would have used curl to verify 2way tls authentication configuration, if it was https. curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog, could be of some help.
On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza < nfrunza@...> wrote: Hello,
Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ? I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:
2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
E0327 16:57:10.541763890 7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882 7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.
thank you
Nik
--
--
|
|
toggle quoted messageShow quoted text
On 3/28/2019 11:29 AM, Vishal wrote:
Hi Nick,
Client certificates need not to be issued by
fabric ca.
You can generate self signed CA + client
certificate using open ssl.
Here is a nice explanation:
Below configuration ensure that the self signed
CA cert & other certificates issued by this CA are trusted
by the peer.
CORE_PEER_TLS_CLIENTROOTCAS_FILES = Self signed CA
certificate
On Thu 28 Mar, 2019, 4:34
PM Nick Frunza, < nfrunza@...>
wrote:
Another question is, how to generate the client
key, and cert., and both key, cert needs to be on
fabric-ca server registered? it is not clear, and
what type of tools we can use to generate both.
nik
On Thu, Mar 28, 2019
at 8:33 AM Nick Frunza < nfrunza@...>
wrote:
Thank for the prompt reply, we are
trying to use a fabric samples that has mutual TLS
enabled with HLExplorer as a client, but looks like
fabric doesn't provide one, will have to modify the
balance transfer client in order to use mutual TLS.
Another question is, how to generate the client
key, and cert., and both key, cert needs to be on
fabric-ca server registered? it is not clear, and
what type of tools we can use to generate both.
nik
Hi Nick,
The error message clearly says that the
server (peer) did not receive the correct
client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED
= true, you have set below env variables
correctly
- CORE_PEER_TLS_CLIENTROOTCAS_FILES
= CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE =
client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE =
client key
You may use the fabric-ca to
generate these client certificates.
If you wish to use Openssl to
generate client certs, keep in mind
RSA keys are not supported by
fabric.
You have to assign these certificates
to client instance as well. I prefer to
do it this
way.
I would have used curl to verify 2way
tls authentication configuration, if it
was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog,
could be of some help.
Kind regards
Vishal Yadav
On Thu, Mar
28, 2019 at 1:07 AM Nick Frunza < nfrunza@...>
wrote:
Hello,
Are there any fabric
samples with Mutual TLS enabled, aka.
CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled
balance transfer with Mutual TLS, but it
fails when running testAPI.sh with
error:
2019-03-27T20:57:05.419Z - error:
[Remote.js]: Error: Failed to connect
before the deadline
URL:grpcs://localhost:7051
[2019-03-27
16:57:05.419] [ERROR] Query - Error:
Failed to connect before the deadline
URL:grpcs://localhost:7051
at
checkState
(/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327
16:57:10.541722858 7375
ssl_transport_security.cc:219]
ssl_info_callback: error occured.
E0327
16:57:10.541763890 7375
ssl_transport_security.cc:1227] Handshake
failed with fatal error SSL_ERROR_SSL:
error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad
certificate.
E0327 16:57:12.156285882
7375 ssl_transport_security.cc:219]
ssl_info_callback: error occured.
thank you
Nik
--
--
|
|
Thank you for the hint
Nik
toggle quoted messageShow quoted text
On Thu, Mar 28, 2019 at 4:22 PM Nye Liu < nye@...> wrote:
With one caveat, if you generate the ca with openssl, you need to
wait 5 minutes before enroll anyone, the CA-server backdates
enrolled certs by 5 minutes
https://jira.hyperledger.org/browse/FABC-832
On 3/28/2019 11:29 AM, Vishal wrote:
Hi Nick,
Client certificates need not to be issued by
fabric ca.
You can generate self signed CA + client
certificate using open ssl.
Here is a nice explanation:
Below configuration ensure that the self signed
CA cert & other certificates issued by this CA are trusted
by the peer.
CORE_PEER_TLS_CLIENTROOTCAS_FILES = Self signed CA
certificate
On Thu 28 Mar, 2019, 4:34
PM Nick Frunza, < nfrunza@...>
wrote:
Another question is, how to generate the client
key, and cert., and both key, cert needs to be on
fabric-ca server registered? it is not clear, and
what type of tools we can use to generate both.
nik
On Thu, Mar 28, 2019
at 8:33 AM Nick Frunza < nfrunza@...>
wrote:
Thank for the prompt reply, we are
trying to use a fabric samples that has mutual TLS
enabled with HLExplorer as a client, but looks like
fabric doesn't provide one, will have to modify the
balance transfer client in order to use mutual TLS.
Another question is, how to generate the client
key, and cert., and both key, cert needs to be on
fabric-ca server registered? it is not clear, and
what type of tools we can use to generate both.
nik
Hi Nick,
The error message clearly says that the
server (peer) did not receive the correct
client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED
= true, you have set below env variables
correctly
- CORE_PEER_TLS_CLIENTROOTCAS_FILES
= CA certificate
- CORE_PEER_TLS_CLIENTCERT_FILE =
client certificate
- CORE_PEER_TLS_CLIENTKEY_FILE =
client key
You may use the fabric-ca to
generate these client certificates.
If you wish to use Openssl to
generate client certs, keep in mind
RSA keys are not supported by
fabric.
You have to assign these certificates
to client instance as well. I prefer to
do it this
way.
I would have used curl to verify 2way
tls authentication configuration, if it
was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com
Furthermore, you may check out this blog,
could be of some help.
Kind regards
Vishal Yadav
On Thu, Mar
28, 2019 at 1:07 AM Nick Frunza < nfrunza@...>
wrote:
Hello,
Are there any fabric
samples with Mutual TLS enabled, aka.
CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled
balance transfer with Mutual TLS, but it
fails when running testAPI.sh with
error:
2019-03-27T20:57:05.419Z - error:
[Remote.js]: Error: Failed to connect
before the deadline
URL:grpcs://localhost:7051
[2019-03-27
16:57:05.419] [ERROR] Query - Error:
Failed to connect before the deadline
URL:grpcs://localhost:7051
at
checkState
(/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327
16:57:10.541722858 7375
ssl_transport_security.cc:219]
ssl_info_callback: error occured.
E0327
16:57:10.541763890 7375
ssl_transport_security.cc:1227] Handshake
failed with fatal error SSL_ERROR_SSL:
error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad
certificate.
E0327 16:57:12.156285882
7375 ssl_transport_security.cc:219]
ssl_info_callback: error occured.
thank you
Nik
--
--
|
|
Also i had to add a --noout or the ecparam gets added to the cert, and the ca-server doesn't like it
openssl ecparam -genkey -name prime256v1 -noout -out ca.key
|
|
toggle quoted messageShow quoted text
On Thu, Mar 28, 2019 at 5:12 PM Nye Liu < nye@...> wrote: Also i had to add a --noout or the ecparam gets added to the cert, and the ca-server doesn't like it
openssl ecparam -genkey -name prime256v1 -noout -out ca.key
|
|
Unfortunately seeing the following issue for CA enroll, also tried unsuccessfully using "localhost" in the CA URL. Enabling Mutual TLS for client calls to Fabric has been no picnic.
mn@mn-pc:~/git/fabric-network/fabric-samples/bin$ ./fabric-ca-client enroll -u "http://admin:adminpw@...:7054" --tls.certfiles "/home/mn/git/fabric-network/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem" 2019/03/29 16:04:46 [INFO] generating key: &{A:ecdsa S:256} 2019/03/29 16:04:46 [INFO] encoded CSR Error: POST failure of request: POST http://ca.org1.example.com:7054/enroll {"hosts":["mn-pc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOjCB4gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfjQ64ttiDxgLGGMx\nPLREXDbX3YQj9B+Y59d3LaXILuqI9m0urDqQfLpIOYiJFly0bcvk8jtNnMXiPkzm\nyvzhNaAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0RBAkwB4IFbW4tcGMwCgYIKoZI\nzj0EAwIDRwAwRAIgTFaeYkBXHcthfqCVukPj+r3i1Gt76hgHfo5bwbpPAS4CIAol\nI7NbZ+m0O3yYxdU76ZiC+yhqfwZZ53/zK2FiZuho\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://ca.org1.example.com:7054/enroll: dial tcp: lookup ca.org1.example.com: no such host
----------------------------------------------------------------------------------------------------
mn@mn-pc:~/git/fabric-network/fabric-samples/bin$ ./fabric-ca-client enroll -u "http://admin:adminpw@...:8054" --tls.certfiles "/home/mn/git/fabric-network/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem" 2019/03/29 16:05:16 [INFO] generating key: &{A:ecdsa S:256} 2019/03/29 16:05:16 [INFO] encoded CSR Error: POST failure of request: POST http://ca.org2.example.com:8054/enroll {"hosts":["mn-pc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOjCB4gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkJsLW7klCbJtCfUL\nZk6uBQEbo/eDE4Ic2mOPXyoAJQmCNrsx4TBxI9NKTnvNrkSDIt1ZzvTRd17LnVq3\nE5+aNaAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0RBAkwB4IFbW4tcGMwCgYIKoZI\nzj0EAwIDRwAwRAIgJsI049YNV4rc3gPIEcogFD1iBJe4BCE3y7dn1jsaM3ICIEfx\no+2Oc78v/cr5dl0ECEGZgL/Hh47hVgRY/pl7A8ym\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://ca.org2.example.com:8054/enroll: dial tcp: lookup ca.org2.example.com: no such host
|
|
Why have you provided tls certs if you are posting on http? Should it not be https? And Could you try a curl on the url?
Regards, Vishal
toggle quoted messageShow quoted text
Unfortunately seeing the following issue for CA enroll, also tried unsuccessfully using "localhost" in the CA URL. Enabling Mutual TLS for client calls to Fabric has been no picnic.
mn@mn-pc:~/git/fabric-network/fabric-samples/bin$ ./fabric-ca-client enroll -u "http://admin:adminpw@...:7054" --tls.certfiles "/home/mn/git/fabric-network/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem" 2019/03/29 16:04:46 [INFO] generating key: &{A:ecdsa S:256} 2019/03/29 16:04:46 [INFO] encoded CSR Error: POST failure of request: POST http://ca.org1.example.com:7054/enroll {"hosts":["mn-pc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOjCB4gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfjQ64ttiDxgLGGMx\nPLREXDbX3YQj9B+Y59d3LaXILuqI9m0urDqQfLpIOYiJFly0bcvk8jtNnMXiPkzm\nyvzhNaAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0RBAkwB4IFbW4tcGMwCgYIKoZI\nzj0EAwIDRwAwRAIgTFaeYkBXHcthfqCVukPj+r3i1Gt76hgHfo5bwbpPAS4CIAol\nI7NbZ+m0O3yYxdU76ZiC+yhqfwZZ53/zK2FiZuho\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://ca.org1.example.com:7054/enroll: dial tcp: lookup ca.org1.example.com: no such host
----------------------------------------------------------------------------------------------------
mn@mn-pc:~/git/fabric-network/fabric-samples/bin$ ./fabric-ca-client enroll -u "http://admin:adminpw@...:8054" --tls.certfiles "/home/mn/git/fabric-network/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem" 2019/03/29 16:05:16 [INFO] generating key: &{A:ecdsa S:256} 2019/03/29 16:05:16 [INFO] encoded CSR Error: POST failure of request: POST http://ca.org2.example.com:8054/enroll {"hosts":["mn-pc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOjCB4gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkJsLW7klCbJtCfUL\nZk6uBQEbo/eDE4Ic2mOPXyoAJQmCNrsx4TBxI9NKTnvNrkSDIt1ZzvTRd17LnVq3\nE5+aNaAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0RBAkwB4IFbW4tcGMwCgYIKoZI\nzj0EAwIDRwAwRAIgJsI049YNV4rc3gPIEcogFD1iBJe4BCE3y7dn1jsaM3ICIEfx\no+2Oc78v/cr5dl0ECEGZgL/Hh47hVgRY/pl7A8ym\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://ca.org2.example.com:8054/enroll: dial tcp: lookup ca.org2.example.com: no such host
|
|
Those are pretty clearly DNS/hostname resolution issues, not
mutual TLS issues...
toggle quoted messageShow quoted text
Unfortunately seeing the following issue for CA enroll, also tried
unsuccessfully using "localhost" in the CA URL. Enabling Mutual
TLS for client calls to Fabric has been no picnic.
mn@mn-pc:~/git/fabric-network/fabric-samples/bin$ ./fabric-ca-client
enroll -u "http://admin:adminpw@...:7054"
--tls.certfiles
"/home/mn/git/fabric-network/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem"
2019/03/29 16:04:46 [INFO] generating key: &{A:ecdsa S:256}
2019/03/29 16:04:46 [INFO] encoded CSR
Error: POST
failure of request: POST
http://ca.org1.example.com:7054/enroll
{"hosts":["mn-pc"],"certificate_request":"-----BEGIN CERTIFICATE
REQUEST-----\nMIIBOjCB4gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfjQ64ttiDxgLGGMx\nPLREXDbX3YQj9B+Y59d3LaXILuqI9m0urDqQfLpIOYiJFly0bcvk8jtNnMXiPkzm\nyvzhNaAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0RBAkwB4IFbW4tcGMwCgYIKoZI\nzj0EAwIDRwAwRAIgTFaeYkBXHcthfqCVukPj+r3i1Gt76hgHfo5bwbpPAS4CIAol\nI7NbZ+m0O3yYxdU76ZiC+yhqfwZZ53/zK2FiZuho\n-----END
CERTIFICATE
REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}:
Post http://ca.org1.example.com:7054/enroll: dial tcp: lookup
ca.org1.example.com: no such host
----------------------------------------------------------------------------------------------------
mn@mn-pc:~/git/fabric-network/fabric-samples/bin$ ./fabric-ca-client
enroll -u "http://admin:adminpw@...:8054"
--tls.certfiles
"/home/mn/git/fabric-network/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem"
2019/03/29 16:05:16 [INFO] generating key: &{A:ecdsa S:256}
2019/03/29 16:05:16 [INFO] encoded CSR
Error: POST
failure of request: POST
http://ca.org2.example.com:8054/enroll
{"hosts":["mn-pc"],"certificate_request":"-----BEGIN CERTIFICATE
REQUEST-----\nMIIBOjCB4gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkJsLW7klCbJtCfUL\nZk6uBQEbo/eDE4Ic2mOPXyoAJQmCNrsx4TBxI9NKTnvNrkSDIt1ZzvTRd17LnVq3\nE5+aNaAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0RBAkwB4IFbW4tcGMwCgYIKoZI\nzj0EAwIDRwAwRAIgJsI049YNV4rc3gPIEcogFD1iBJe4BCE3y7dn1jsaM3ICIEfx\no+2Oc78v/cr5dl0ECEGZgL/Hh47hVgRY/pl7A8ym\n-----END
CERTIFICATE
REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}:
Post http://ca.org2.example.com:8054/enroll: dial tcp: lookup
ca.org2.example.com: no such host
|
|