Reputation: 21778
How to install issued SSL certificate to hyperledger rest server?
I have the working GoDaddy SSL certificate for Java/Tomcat server, consisting of 3 files:
- a6d8a8b6f1b7d24b.crt
- gdig2.crt.pem
- gd_bundle-g2-g1.crt
All three are the base64 encoded text files and the contents look like
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIJAKbYqLbxt9JLMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
...
MLLO84KBeOlWOD9ShSj2OqPQiozGPPjqzuIyyWJF37s0Y/BpgJPfqHgE
-----END CERTIFICATE-----
gd_bundle-g2-g1.crt contains multiple such entries inside.
Now, Hyperledger instructions here explain:
composer-rest-server -t -c /tmp/cert.pem -k /tmp/key.pem -p hlfv1 -n my-network -i alice1 -s suchs3cret
Which one in my case is expected to be the cert.pem and which one the key.pem? Do they need any conversion, and if they do, how? These certificates work fine for Java frameworks that use jks keystore. Hyperledger uses node.js and produces errors like
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:85:17)
at Server (_tls_wrap.js:776:25)
at new Server (https.js:26:14)
at Object.exports.createServer (https.js:47:10)
at Promise.then (/home/hla/.nvm/versions/node/v6.11.2/lib/node_modules/composer-rest-server/server/server.js:148:28)
at process._tickCallback (internal/process/next_tick.js:109:7)
I tried to substitute the files in various combinations but only get error messages so far. I think I actually tried all possible combinations already, so very likely the format is wrong.
GoDaddy allows to export certificates also in various popular formats (Apache, Exchange, IIS, MacOS X and Tomcat to be precise), but Hyperledger is obviously not between them.
It may also be problematic that when I generate the certificate with
openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem
(where obviously key.pem should probably be the key), I also get the same error:
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL version OpenSSL 1.0.2g 1 Mar 2016. node --version. node --version. node --version 5.4.0.
Upvotes: 0
Views: 443
Answers (2)
Reputation: 101
Use gdig2.crt.pem as your certificate (-c). You need to specify the file to your private key (-k) which you used to generate the CSR. If your private key is password protected, you need to provide the passphrase in composer-rest-server/server.js (look for the line https.createServer({cert, key}, app);). Good luck.
Upvotes: 0
Reputation: 5868
The rest server is expecting 2 things in order to be able to enable tls. It requires a private key and a public certificate associated with that private key. They both need to be in .pem format. The public certificate will have text that starts with -----BEGIN CERTIFICATE----- whilst the private key will have text that starts with -----BEGIN PRIVATE KEY-----
The openssl command can be used to generate a self signed certificate for example which would be usable by the rest server. In the example you gave above, you actually generated a CSR (certificate request) which is a request to create a certificate for you based on the private key it has generated and so the csr.pem file it created isn't a usable certificate. A CSR is something you send to a certificate authority to request the creation of a certificate.
Upvotes: 1
Related Questions
- Hyperledger Node SDK - Handshake failed with fatal error SSL routines:tls_process_server_certificate:certificate verify failed
- How to get certificates for identities from CA in Hyperledger Composer
- Handshake failed with fatal error SSL_ERROR_SSL
- Hyperledger Fabric SDK - https & TLS Cert / Key
- Unable to install composer rest server
- Root certificate for Hyperledger fabric-ca
- how to configure certificate authority for hyperledger fabric?
- hyperledger tls certificate not trusted
- Certificate in Hyperledger
- Hyperledger composer admin certificate not being able to deploy network