CODEWITHSUNDEEP
hyperledger-fabric-sdk-go
Subby
Subby

Reputation: 2036

Hyperledger Fabric Service Discovery - How to get peer tls certificates?

I am running a hyperledger network (1.3) consisting of 3 orgs. TLS is enabled on all components (so also the peer nodes).

I am using the fabric-go-sdk to trigger transactions.

In the log files of the fabric sdk I often get the following errors: [...]certificate signed by unknown authority[...]

This seems to happen when the sdk (that was initialized for peers of my own org) tries to contact other nodes on the network where it does not know the correct tls certificate.

I also understood, that the sdk starts a discovery service and tries to discover additional peers (e.g. peers of a channel).

But how does my sdk retrieve the tls ca certificates of these peers to be able to contact them?

What I found out so far is, that in the discovery service of the sdk there is a function that transform discovered peers to a PeerConfig by calling the PeerConfig() method :

func asPeer(ctx contextAPI.Client, endpoint *discclient.Peer){
 // ....
 peerConfig, found := ctx.EndpointConfig().PeerConfig(url)
 // ....
}

But the PeerConfig function also has no idea what the tls ca cert of the discovered peer is and so cannot create a correct PeerConfig object by only looking at the provided url.

What is the correct way configuring my sdk to be able to speak to other peers? Where does the sdk get the tls ca certificates of the other orgs? Are they beeing discovered at all? Or do I have to provide them manually?

Upvotes: 0

Views: 517

Answers (1)

Narendranath Reddy
Narendranath Reddy

Reputation: 4133

@Subby Don't be confused with all stuff

Org1 - org1CA

Org2 - org2CA

IF go-sdk has profile contains both organizations then you have to mention tlsca cert of appropriate organizations peers

It's your responsibility to mention correct tlsca certs Nothing to do with service discovery 

a certificate signed by unknown authority >>> means wrong certificate which is signed by an untrusted certificate authority

All you need to do is mention tlsca cert of appropriate peer of appropriate org

Coming to the Service Discovery

The rule of thumb is you must need at least one peer to discover other peers, so the application will use this peer to discover other peers

Note: You must configure 

- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051

check the sample discovery result http://ideone.com/UmM0cK

Upvotes: 1

Related Questions