Reputation: 263
Orderer bootstrap says: CA Certificate did not have the CA attribute
Bootstrapping of the orderer gives me the following error:
[orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
goroutine 1 [running]:
github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b1970, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0001382a0, 0xc00003d804, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0001382a0, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(0xc0001382a8, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74 +0x60
github.com/hyperledger/fabric/orderer/common/server.Start(0x1013e09, 0x5, 0xc00054f200)
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xcd
github.com/hyperledger/fabric/orderer/common/server.Main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x1ce
main.main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20
I have checked the CA certificate files and have the following attribute:
X509v3 Basic Constraints: critical CA:TRUE, pathlen:0
I have created the genesis block with the configtxgen pointing to the folders following the common structure
Also I am using fabric CA
EDIT 1:
So I have been creating the network instead of using the cryptogen using the fabric CA, I have followed the tutorial of fabric of how to create the certificates and this is what I have done:
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles ./tls-cert.pem
./fabric-samples/bin/fabric-ca-client register --id.name peer0.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer0
./fabric-samples/bin/fabric-ca-client enroll -u https://peer0.example.com:aTSKHAhxxrIl@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name peer1.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer1
./fabric-samples/bin/fabric-ca-client enroll -u https://peer1.example.com:ptPLWOAudqNJ@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/ordererOrganizations/example.com/orderers/orderer0
./fabric-samples/bin/fabric-ca-client enroll -u https://orderer0.example.com:WfEfUodXgjDI@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
After registering all the peers and the orderer I have started creating the artifacts with the following commands
export CHANNEL_NAME=examplechannel
./fabric-samples/bin/configtxgen -profile OrdererGenesis -outputBlock ./config/genesis.block -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputCreateChannelTx ./config/channel.tx -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputAnchorPeersUpdate ./config/ExampleMSPanchors.tx -channelID $CHANNEL_NAME -asOrg Example
All that using the structure of the crypto material folders like this:
- ordererOrganizations
- example.com
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
- peerOrganizations
- example.conm
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
EDIT 2:
So they are a couple of things. I am using fabric CA without any external certificate and TLS enabled, so, on bootstrapping it creates all the crypto material. In order to found the issue I have been comparing decoding the material created by the cryptogen tool and the fabric ca material, I have used this web https://certlogik.com/decoder/. All but the tls certificate has the same attributes. The one created by the cryptogen tool has the following property true:
X509v3 Basic Constraints: critical CA:TRUE
But the one created by the fabric ca has the attribute to false, so is there a property that determines this and I have not setted up or is a bug?
EDIT 3:
So thanks to @gari and also to the people on the hyperledger chat, I have come to the solution. I was mistaking the tls created by the ca, with the tlsca that are 2 separated things.
TLSCAs have to be distributed out of band. Set up an nginx server on the ca and serve them with a real public cacert backed http request, scp them around, sneaker net, whatver there is a hack to get it from the ca-server directly with curl but it requires turning off ca checking
A lets encrypt would do but you' need a separate nginx server or equivalient set to serve the non public tlsca. Or you can just use a LE cert for the tlsca itself, but that would suck because you'd have to redo every channel every time the tlsca was renewed from lets encrypt.
Upvotes: 1
Views: 1207
Answers (1)
Reputation: 12013
Make sure that both cacerts and tlscacerts actually contain root certificates. From how you described the layout above, it looks like you do not have CA certificate(s) is the tlscacerts folder.
Upvotes: 1
Related Questions
- TLS handshake failed with error remote error: tls: bad certificate server=Orderer
- Error when uploading Hyperledger's orderer.exemple.com to the docker compose
- Fabric Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection
- hyperledger fabric Failed to generate orderer genesis block
- Strange error message in Hyperledger Fabric
- hyperledger TLS problem when adding an orderer and exchanging crypto material
- Error while starting peers and orderer with the certificates generated using Root and Intermediate CA
- Fabric orderer TLS: failed to find any PEM data in certificate input
- Could not start orderer with ca file generated by ca server in fabric
- How do I link my Orderer and Peers to the Fabric-CA using docker