Reputation: 2506
MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority Hyperledger Fabric
I first generate crypto materials using cryptogen and then start, for example, org1 CA server like so:
fabric-ca-server start --ca.certfile $(ls crypto-config/peerOrganizations/org1/ca/*.pem) --ca.keyfile $(ls crypto-config/peerOrganizations/org1/ca/*_sk) -d -b admin:adminpw --port 7054
From NodeJS SDK I can enroll admin and register (and enroll) new users. But when I try to access Fabric network with these new user credentials or even admin credentials, I get the below error on SDK console:
root@peer0:/var/hyperledger/api# ts-node src/invoke.ts
Wallet path: /var/hyperledger/api/wallet
2019-10-08T13:32:17.819Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.826Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.833Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.841Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
Failed to submit transaction: Error: Endorsement has failed
peer log says:
MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority.
I'm using exactly the same credentials in peer CLI container and SDK. I can do all chaincode operations from CLI, but why peers don't accept connection from SDK?
Does FABRIC_CA_SERVER_CA_NAME has anything to do with it? Does cryptogen also create a FABRIC_CA_SERVER_CA_NAME for the CA server? If so, are peer credentials associated with the CA name? In NodeJS SDK, I tried caName=ca-org1 as well as caName=ca.org1, but still getting same error.
Upvotes: 0
Views: 1194
Answers (1)
Reputation: 358
I ran into this (or something very simalar) and managed to resolve it. The issue for me was incorrect paths to my .pem and private key files in the fabric-ca-server start command.
If the paths are incorrect, when the CA container starts it will be unable to locate your files (generated by cryptogen) so will generate its own.
The enroll and register scripts generate identities based on your cryptogen material, which is correct, but they're not the certs your CA has decided to generate for you.
To check if this is what's happening, have a look at the CA logs:
docker logs <your ca container>
Near the top where the server starts up, look for messages referring to missing keys, or messages about generating files.
Hope that helps.
Upvotes: 0
Related Questions
- Hyperledger - MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
- When I used msp in fabric-sdk-go to register users with CA, an error occurred
- Hyperledger Fabric NodeOUs with CA Server Failed validating bootstrap block. MSP manager failed
- Error with msp when try to Launch Peers with Fabric-ca
- Strange error message in Hyperledger Fabric
- Fabric register user Error: self signed certificate
- Error: PEM encoded certificate is required
- Error while Initializating Fabric-CA server
- Failed Error: Private key missing from key store. Can not establish the signing identity for user admin
- hyperledger tls certificate not trusted