Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Question

I am stuck with this error while trying to create a channel using api (I am using a similar sample to balance transfer example from fabric samples)

However,I can create a channel,install,instantiate and invoke using the cli commands

I have enclosed both the screenshot of the error and my network-config fileenter image description here

--networkconfig.yaml--

#

The network connection profile provides client applications the information about the target

blockchain network that are necessary for the applications to interact with it. These are all

knowledge that must be acquired from out-of-band sources. This file provides such a source.

name: "business-connect"

#

Any properties with an "x-" prefix will be treated as application-specific, exactly like how naming

in HTTP headers or swagger properties work. The SDK will simply ignore these fields and leave

them for the applications to process. This is a mechanism for different components of an application

to exchange information that are not part of the standard schema described below. In particular,

the "x-type" property with the "hlfv1" value example below is used by Hyperledger Composer to

determine the type of Fabric networks (v0.6 vs. v1.0) it needs to work with.

x-type: "hlfv1"

#

Describe what the target network is/does.

description: "Business connect-POC"

#

Schema version of the content. Used by the SDK to apply the corresponding parsing rules.

version: "1.0"

#

The client section will be added on a per org basis see org1.yaml and org2.yaml

#

client:

#

[Optional]. But most apps would have this section so that channel objects can be constructed

based on the content below. If an app is creating channels, then it likely will not need this

section.

channels: # name of the channel internal-channel:

# Required. list of orderers designated by the application to use for transactions on this
# channel. This list can be a result of access control ("org1" can only access "ordererA"), or
# operational decisions to share loads from applications among the orderers.  The values must
# be "names" of orgs defined under "organizations/peers"
orderers:
  - orderer1-htc

# Required. list of peers from participating orgs
peers:
  peer1-accounts:
    # [Optional]. will this peer be sent transaction proposals for endorsement? The peer must
    # have the chaincode installed. The app can also use this property to decide which peers
    # to send the chaincode install request. Default: true
    endorsingPeer: true

    # [Optional]. will this peer be sent query proposals? The peer must have the chaincode
    # installed. The app can also use this property to decide which peers to send the
    # chaincode install request. Default: true
    chaincodeQuery: true

    # [Optional]. will this peer be sent query proposals that do not require chaincodes, like
    # queryBlock(), queryTransaction(), etc. Default: true
    ledgerQuery: true

    # [Optional]. will this peer be the target of the SDK's listener registration? All peers can
    # produce events but the app typically only needs to connect to one to listen to events.
    # Default: true
    eventSource: true

  peer1-mgmt:
    endorsingPeer: false
    chaincodeQuery: true
    ledgerQuery: true
    eventSource: false

  peer1-project:
    endorsingPeer: false
    chaincodeQuery: true
    ledgerQuery: true
    eventSource: true


# [Optional]. what chaincodes are expected to exist on this channel? The application can use
# this information to validate that the target peers are in the expected state by comparing
# this list with the query results of getInstalledChaincodes() and getInstantiatedChaincodes()
chaincodes:
  # the format follows the "cannonical name" of chaincodes by fabric code
  - mycontract-v0.1

#

list of participating organizations in this network

organizations: htc:

mspid: htcMSP
orderer: 
  - orderer1-htc
certificateAuthorities:
  - ica-htc   accounts:
mspid: accountsMSP

peers:
  - peer1-accounts

# [Optional]. Certificate Authorities issue certificates for identification purposes in a Fabric based
# network. Typically certificates provisioning is done in a separate process outside of the
# runtime network. Fabric-CA is a special certificate authority that provides a REST APIs for
# dynamic certificate management (enroll, revoke, re-enroll). The following section is only for
# Fabric-CA servers.
certificateAuthorities:
  - ica-accounts

# [Optional]. If the application is going to make requests that are reserved to organization
# administrators, including creating/updating channels, installing/instantiating chaincodes, it
# must have access to the admin identity represented by the private key and signing certificate.
# Both properties can be the PEM string or local path to the PEM file. Note that this is mainly for
# convenience in development mode, production systems should not expose sensitive information
# this way. The SDK should allow applications to set the org admin identity via APIs, and only use
# this route as an alternative when it exists.
adminPrivateKey:
  path: network/data/orgs/accounts/admin/msp/keystore/accounts_sk
signedCert:
  path: network/data/orgs/accounts/admin/msp/signcerts/cert.pem

# the profile will contain public information about organizations other than the one it belongs to. # These are necessary information to make transaction lifecycles work, including MSP IDs and # peers with a public URL to send transaction proposals. The file will not contain private # information reserved for members of the organization, such as admin key and certificate, # fabric-ca registrar enroll ID and secret, etc. mgmt: mspid: mgmtMSP peers: - peer1-mgmt certificateAuthorities: - ica-mgmt adminPrivateKey: path: network/data/orgs/mgmt/admin/msp/keystore/mgmt_sk signedCert: path: network/data/orgs/mgmt/admin/msp/signcerts/cert.pem project: mspid: projectMSP peers: - peer1-project certificateAuthorities: - ica-project adminPrivateKey: path: network/data/orgs/project/admin/msp/keystore/project_sk signedCert: path: network/data/orgs/project/admin/msp/signcerts/cert.pem

#

List of orderers to send transaction and channel create/update requests to. For the time

being only one orderer is needed. If more than one is defined, which one get used by the

SDK is implementation specific. Consult each SDK's documentation for its handling of orderers.

orderers: orderer1-htc:

url: grpcs://localhost:7050

# these are standard properties defined by the gRPC library
# they will be passed in as-is to gRPC client constructor
grpcOptions:
  ssl-target-name-override: orderer1-htc
tlsCACerts:
  path: network/data/htc.crt

#

List of peers to send various requests to, including endorsement, query

and event listener registration.

peers: peer1-accounts:

# this URL is used to send endorsement and query requests
url: grpcs://localhost:7051
grpcOptions:
  ssl-target-name-override: peer1-accounts
tlsCACerts:
  path: network/data/accounts.crt

peer1-mgmt: url: grpcs://localhost:8051 grpcOptions: ssl-target-name-override: peer1-mgmt tlsCACerts: path: network/data/mgmt.crt

peer1-project: url: grpcs://localhost:9051

grpcOptions:
  ssl-target-name-override: peer1-project
tlsCACerts:
  path: network/data/project.crt

#

Fabric-CA is a special kind of Certificate Authority provided by Hyperledger Fabric which allows

certificate management to be done via REST APIs. Application may choose to use a standard

Certificate Authority instead of Fabric-CA, in which case this section would not be specified.

certificateAuthorities: ica-htc:

url: http://localhost:1054
httpOptions:
  verify: false
tlsCACerts:
  path: network/data/htc-ca-cert.pem
registrar:
  - enrollId: ica-htc-admin
    enrollSecret: ica-htc-adminpw
# [Optional] The optional name of the CA.
caName: ica-htc   ica-accounts:
url: http://localhost:7054
# the properties specified under this object are passed to the 'http' client verbatim when
# making the request to the Fabric-CA server
httpOptions:
  verify: false
tlsCACerts:
  path: network/data/accounts-ca-chain.pem

# Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
# needed to enroll and invoke new users.
registrar:
  - enrollId: ica-accounts-admin
    enrollSecret: ica-accounts-adminpw
# [Optional] The optional name of the CA.
caName: ica-accounts

ica-mgmt: url: http://localhost:8054 httpOptions: verify: false tlsCACerts: path: network/data/mgmt-ca-chain.pem registrar: - enrollId: ica-mgmt-admin enrollSecret: ica-mgmt-adminpw # [Optional] The optional name of the CA. caName: ica-mgmt

ica-project: url: http://localhost:9054 httpOptions: verify: false tlsCACerts: path: network/data/project-ca-chain.pem registrar: - enrollId: ica-project-admin enrollSecret: ica-project-adminpw # [Optional] The optional name of the CA. caName: ica-project

Answer 1

This problem is related to blocks in the Firewall. When I disabled SSL checking on my firewall, it worked again, no problem

Answer 2

Looks like you are getting a hostname verification error on the TLS handshake. In your settings

# this URL is used to send endorsement and query requests
url: grpcs://localhost:7051
grpcOptions:
  ssl-target-name-override: peer1-accounts
tlsCACerts:
  path: network/data/accounts.crt

you are calling localhost but you set the override to peer1-accounts. The hostname you use in the URL must match one of the SANs in the TLS certificate used by the peer OR whatever value you set for ssl-target-name-override must match one of the SANs in the TLS certificate.

You can print the details of the certificate using openssl:

openssl x509 -noout -text -in path-to-tls-cert