TLS Handshake Error while Creating Hyperledger Fabric Channel with Multiple Organisation Orderers

Question

Scenario: I have two organisation with two peers in each organisation. Now, I want each organisation to provide an orderer node as well.

Below is my crypto-config.yaml file:

OrdererOrgs:

  - Name: Orderer1
    Domain: org1.xyz.com
    Template:
    Count: 1

  - Name: Orderer2
    Domain: org2.xyz.com
    Template:
    Count: 1

Below is my configtx.yaml file:

 - &OrdererOrg1

    Name: OrdererOrg01
    ID: Orderer1MSP
    MSPDir: crypto-config/ordererOrganizations/org1.xyz.com/msp
    Policies:
        Readers:
            Type: Signature
            Rule: "OR('Orderer1MSP.member')"
        Writers:
            Type: Signature
            Rule: "OR('Orderer1MSP.member')"
        Admins:
            Type: Signature
            Rule: "OR('Orderer1MSP.admin')"

- &OrdererOrg2

    Name: OrdererOrg02
    ID: Orderer2MSP
    MSPDir: crypto-config/ordererOrganizations/org2.xyz.com/msp
    Policies:
        Readers:
            Type: Signature
            Rule: "OR('Orderer2MSP.member')"
        Writers:
            Type: Signature
            Rule: "OR('Orderer2MSP.member')"
        Admins:
            Type: Signature
            Rule: "OR('Orderer2MSP.admin')"

Below is my docker-compose-cli.yaml file:

services:

     orderer.xyz.com:
        extends:
        file:   base/docker-compose-base.yaml
        service: orderer.xyz.com
        container_name: orderer.xyz.com
        networks:
         - byfn

    orderer0.xyz.com:
       extends:
       file:   base/docker-compose-base.yaml
       service: orderer0.xyz.com
       container_name: orderer0.xyz.com
       networks:
        - byfn

I try to create a channel with the following command:

peer channel create -o orderer.xyz.com:7050 -t 60s -c bay -f ./channel-artifacts/channel.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org1.xyz.com/orderers/orderer0.org1.xyz.com/msp/tlscacerts/tlsca.org1.xyz.com-cert.pem

I get the following ERROR on Orderer container logs while creating a channel:

[core.comm] ServerHandshake -> ERRO 015 TLS handshake failed with error remote error: tls: bad certificate {"server": "Orderer", "remote address": "172.22.0.18:48594"}

So, is it possible that for organisations providing peers, provide an orderer node as well or a separate third organisation will be providing orderer nodes (as observed in tutorials)? And why am I getting this error?

Thanks for your time and let me know If you require any further information.

Answer 1

in my case I got this error

[core.comm] ServerHandshake -> ERRO 025 TLS handshake failed with error remote error: tls: internal error {"server": "Orderer", "remote address": "190.22.189.42:40746"}

When I use a fabric sdk to connect to a Fabric Network that use TLS enabled. To solve this you need ensure that the connection profile use the hostnameOverride propertie in Orderer section this an example

orderers:

orderer.example.com: url: grpcs://localhost:7050

# these are standard properties defined by the gRPC library
# they will be passed in as-is to gRPC client constructor
grpcOptions:
  hostnameOverride: orderer.example.com
  grpc-max-send-message-length: 15
  grpc.keepalive_time_ms: 360000
  grpc.keepalive_timeout_ms: 180000

Please check the next example to more information : https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/fixture/sdkintegration/network_configs/network-config-tls.yaml

Really I was working days in this error and finally I found the solution

To more information, fabric training, or develop blockchain solutions to the business and goverment based in Hyperledger Fabric in Chile and Latin America please visit www.blockchainempresarial.com

Answer 2

I'm finally able to find the actual reason behind this issue. The issue was with the service name of orderer containers in the docker-compose-cli.yaml file. Service name should be matched with the name specified in the crypto-config.yaml file following hostname.domain pattern.

So, I changed the orderer configurations in the docker-compose-cli.yaml file like below:

services:

  orderer0.telco1.vodworks.com:
    extends:
      file:   base/docker-compose-base.yaml
      service: orderer.vodworks.com
    container_name: orderer.vodworks.com
    networks:
      - byfn

  orderer0.telco2.vodworks.com:
    extends:
      file:   base/docker-compose-base.yaml
      service: orderer0.vodworks.com
    container_name: orderer0.vodworks.com
    networks:
      - byfn

After this, I modified the peer channel commands in script.sh and utils.sh scripts by adding the correct name of orderers. After these couple of changes I was able to run my network successfully and verified this deployment by installing chaincodes as well.

Thanks to @arnaud-j-le-hors for the sample application which helped me out to figure out this issue.

Answer 3

I'm not the expert here but I'm not sure why you are trying to connect to orderer.xyz.com? I've got one setup that looks like what you're trying to do and for that you should give a name to each of the ordering nodes you want to create by adding the following lines to your crypto-config file (for both orderers):

Specs:
  - Hostname: orderer

And you should define two corresponding containers, one called orderer.org1.xyz.com and the other orderer.org2.xyz.com in your compose file.

You should then be able to create the channel by contacting orderer.org1.xyz.com.

Answer 4

I do not know how you defined the structure of organizations and peers in your network, but, by watching at the path you specify for the --cacert and the config files, it seems to me that telco1.vodworks.com is not specified being an orderer organization.

Overall I may ask, are you sure that the path for the --cacert is correct?