Enrollment with fabric-ca-client with Mismatching Host (on AWS Managed Blockchain)

Stein, Alexander J. (Fed) <alexander.stein@...>


I am working with a team and we are trying to use an _existing_ deployment of a Hyperledger Fabric 1.4 network that is private (this becomes important later), as configured on the AWS Managed Blockchain platform. I presume I cannot modify the certificate authority, only access it the way it is provided, so I need to know how to work around this without blowing away all the members and the network to start from scratch.

Can you enroll a admin member with the member CA if there is a hostname mismatch?

So far, we reached this portion of official AWS documentation.


When we use our CA configuration data it does not work _as-is_ with the given configuration. We are not using a public network, so this configuration is a hard requirement by AWS (until we advance further). We must a VPC endpoint to access the member certificate authority by an internal IP address via a special VPC Endpoint DNS record, not public. AWS does not seem to have an option for a private network with public addresses. So, when following this post, we get back obvious cert name mismatches when sending the CSR.

To start, we are using 1.4.7 pulled down from GitHub releases yesterday.

$ ~/go/src/github.com/hyperledger/fabric-ca/bin/fabric-ca-client version
Version: 1.4.7
Go version: go1.13.9
OS/Arch: linux/amd64

We set out our CAENDPOINT to a VPC endpoint, which is valid, but slightly different hostname from the official endpoint.


Notice this is different from what AWS tells us the member CA is, but that is intentional and by design. This is what you would see in the console as the official member CA endpoint.

ca.mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com:30002 (NOTE: this does not even show up in DNS by design, it will not resolve, this is to force you to use the aforementioned API endpoints only through private addresses via VPC endpoints.)

So when we do this, either the client (but more likely the CA server right?) says hey, those hostnames don't mismatch, I am ignoring your CSR, better luck next time.

$ ~/go/src/github.com/hyperledger/fabric-ca/bin/fabric-ca-client enroll -u "https://adminuser:adminpassword@$CASERVICEENDPOINT" --tls.certfiles ~/managedblockchain-tsl-chain.pem -m ~/admin-msp
2021/12/17 19:38:27 [INFO] TLS Enabled
2021/12/17 19:38:27 [INFO] generating key: &{A:ecdsa S:256}
2021/12/17 19:38:27 [INFO] encoded CSR
Error: POST failure of request: POST https://vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkidce.managedblockchain.us-east-1.vpce.amazonaws.com:30002/enroll
{"hosts":["/home/ec2-user/admin-msp"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkid.managedblockchain.us-east-1.vpce.amazonaws.com:30002/enroll: x509: certificate is valid for nd-blahblahblah.m-mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com, localhost, ca.m-mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com, not vpce-0123456789010-abcdefg-us-east-1c.n-mynetworkidce.managedblockchain.us-east-1.vpce.amazonaws.com

Again ca.mymemberid.n-mynetworkid.managedblockchain.us-east-1.amazonaws.com will not resolve and this is by design, but luckily it seems a proper HTTPS POST request came back, albeit with an error.

Is there are any way to force a CSR with a hostname mismatch from the client side, or is this a (member CA) server-side only thing?

This is a managed Hyperledger Fabric deployment, so I do not think we can modify the CA server config. Is there are any way to force this with the fabric-ca-client-config.yaml?

Am I missing something obvious? Sorry, I am new to Fabric and the docs do not help me with this level of detail.