Unable to TLS using peer's TLS ca.crt


Abhijeet Bhowmik <abhijeet@...>
 

Hi All,

I am trying to start a network wherein order has TLS enabled. I copied peer's tls/ca.crt file to orderer volume. And then I try to create a channel on peer with --cafile tls/ca.crt but get's response Error: failed to create deliver client: orderer client failed to connect to orderer.flightcommand.com:7050: failed to create new connection: context deadline exceeded. On inspecting order logs, I see this 2020-04-19 07:50:55.580 UTC [core.comm] ServerHandshake -> ERRO 011 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.18.0.3:40514

Following are my orderer and peer env vars:
ORDERER:

# enabled tls

      - ORDERER_GENERAL_TLS_ENABLED=true

      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/tls/orderer/server.key

      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/tls/orderer/server.crt

      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/tls/orderer/ca.crt,/etc/hyperledger/tls/peer/ca.crt]

PEER:

     - CORE_PEER_TLS_ENABLED=true

      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/tls/peer/server.crt

      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/tls/peer/server.key

      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/tls/peer/ca.crt

      - ORDERER_TLS_CA=/etc/hyperledger/tls/peer/ca.crt

** Please note that I use $ORDERER_TLS_CA for --cafile value.

I am hell confused about the files residing in the folder. Terminologies mentioned in docs escapes me. Could someone point me in the right direction. I will be grateful.

Thanks and Regards
Abhijeet Bhowmik


conanoc
 

You should use orderer's tls ca cert instead of peer's.
Change
- ORDERER_TLS_CA=/etc/hyperledger/tls/peer/ca.crt
to
- ORDERER_TLS_CA= path of the copyed file of orderer's /etc/hyperledger/tls/orderer/ca.crt
Of course, You should first copy the orderer's tls ca cert to the peer node.

-----Original Message-----
From: "Abhijeet Bhowmik"<abhijeet@...>
To: <fabric@...>;
Cc:
Sent: 2020. 4. 19. (일) 17:54 (GMT+09:00)
Subject: [Hyperledger Fabric] Unable to TLS using peer's TLS ca.crt
 

Hi All,

I am trying to start a network wherein order has TLS enabled. I copied peer's tls/ca.crt file to orderer volume. And then I try to create a channel on peer with --cafile tls/ca.crt but get's response Error: failed to create deliver client: orderer client failed to connect to orderer.flightcommand.com:7050: failed to create new connection: context deadline exceeded. On inspecting order logs, I see this 2020-04-19 07:50:55.580 UTC [core.comm] ServerHandshake -> ERRO 011 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=172.18.0.3:40514

Following are my orderer and peer env vars:
ORDERER:

# enabled tls

      - ORDERER_GENERAL_TLS_ENABLED=true

      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/tls/orderer/server.key

      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/tls/orderer/server.crt

      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/tls/orderer/ca.crt,/etc/hyperledger/tls/peer/ca.crt]

PEER:

     - CORE_PEER_TLS_ENABLED=true

      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/tls/peer/server.crt

      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/tls/peer/server.key

      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/tls/peer/ca.crt

      - ORDERER_TLS_CA=/etc/hyperledger/tls/peer/ca.crt

** Please note that I use $ORDERER_TLS_CA for --cafile value.

I am hell confused about the files residing in the folder. Terminologies mentioned in docs escapes me. Could someone point me in the right direction. I will be grateful.

Thanks and Regards
Abhijeet Bhowmik