CODEWITHSUNDEEP
hyperledger-fabric-ca
yulong zhang
yulong zhang

Reputation: 21

How to set tls in fabric-ca

I want to enable tls in fabric-ca ,so :

step: I modyfied fabric-ca-clien-config.yaml 

tls:
  # TLS section for secure socket connection
  certfiles:
       - /Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
  client:
    certfile: /Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
    keyfile: /Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

and 

fabric-ca-server start -b admin:adminpw

but when I enroll:

export FABRIC_CA_CLIENT_HOME=/Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/clients/admin
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054

it appears 

2018/09/28 13:36:33 [INFO] encoded CSR
Error: POST failure of request: POST https://localhost:7054/enroll
{"hosts":["jiangdeimac.cn.ibm.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSzCB8wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6IAf/x032Df4byre\nGJ3dEI1ayE+8t8eyW5R/+ExvZJLk/OK7BrepO5HtHwYg3V2FkNwdB1iV2pq/yxTX\nthZIsqA0MDIGCSqGSIb3DQEJDjElMCMwIQYDVR0RBBowGIIWamlhbmdkZWltYWMu\nY24uaWJtLmNvbTAKBggqhkjOPQQDAgNHADBEAiBzNGIF1avzD9Tbkrh3Qh2E6gVN\nKlHsXiPOZTjpSVfO0wIgCkXYx0MTQseJfjdAgXZUE7dPQqEGRg2JxTOfI2PQi5c=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for peer0.org1.example.com, peer0, not localhost

the ca-server logs is"

2018/09/28 13:36:33 http: TLS handshake error from [::1]:57762: remote error: tls: bad certificate

so I want to know how can I set tls using fabric-ca?

Upvotes: 2

Views: 1490

Answers (1)

Saad Karim
Saad Karim

Reputation: 239

You need to configure TLS on the server at start up time, you actually have the client and server configuration switched a little bit. When you start up the server, you can use the command below to specify a enable TLS and specify a TLS certificate and key. Executing this command will start the server, listening on a secure port.

fabric-ca-server start -b admin:adminpw --tls.enabled --tls.certfile /Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt --tls.keyfile /Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

and then on the client when you enroll you need to specify the root of trust for this TLS certificate, which you can do so by using the tls.certfiles flag. This would look like:

fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles /Users/jiangnan/Documents/GOPATH/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt

This should allow the client and server to establish a TLS connection.

Upvotes: 1

Related Questions