Fabric chaincode - Communicate with Vault

Question

I need to, somehow, communicate with a Vault instance from some chaincode.

My issue is that I need (mutual) TLS on Vault, so in order for the chaincode to communicate with it, it needs the appropriate certificates issued by the appropriate CA.

Both the peer that the chaincode is installed on and the Vault instance, utilize the same root CA.

So, how can I acquire the appropriate certificates in the chaincode and use them for the request made to the Vault instance?

If it, somehow, helps:

log from the chaincode container when I make the request:

2021-01-21T14:18:29.847Z error [c-api:_]                                          Unhandled Rejection reason RequestError: Error: unable to verify the first certificate promise Promise {
  <rejected> RequestError: Error: unable to verify the first certificate
      at new RequestError (/usr/local/src/node_modules/request-promise-core/lib/errors.js:14:15)
      at Request.plumbing.callback (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:87:29)
      at Request.RP$callback [as _callback] (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:46:31)
      at self.callback (/usr/local/src/node_modules/request/request.js:185:22)
      at Request.emit (events.js:311:20)
      at Request.onRequestError (/usr/local/src/node_modules/request/request.js:881:8)
      at ClientRequest.emit (events.js:311:20)
      at TLSSocket.socketErrorListener (_http_client.js:426:9)
      at TLSSocket.emit (events.js:311:20)
      at emitErrorNT (internal/streams/destroy.js:92:8) {
    name: 'RequestError',
    message: 'Error: unable to verify the first certificate',
    cause: Error: unable to verify the first certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
        at TLSSocket.emit (events.js:311:20)
        at TLSSocket._finishInit (_tls_wrap.js:916:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
      code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
    },
    error: Error: unable to verify the first certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
        at TLSSocket.emit (events.js:311:20)
        at TLSSocket._finishInit (_tls_wrap.js:916:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
      code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
    },
    options: {
      json: [Object],
      resolveWithFullResponse: true,
      simple: false,
      strictSSL: true,
      method: 'PUT',
      path: '/sys/unseal',
      headers: [Object],
      uri: 'https://vaultinstance.com:8200/v1/sys/unseal',
      callback: [Function: RP$callback],
      transform: undefined,
      transform2xxOnly: false
    },
    response: undefined
  }
}  

log from vault when the request is made:

2021-01-21T14:20:59.784Z [INFO]  http: TLS handshake error from 192.168.224.1:51074: remote error: tls: unknown certificate

Answer 1

There's no way to provide secret config information to chaincode at install time so unless you include the certificate in the chaincode package, which is probably a bad idea, so I think your chaincode will need an init transaction to send in the required certificate using transient data.

The chaincode lifecycle documentation describes how to require an init transaction.

If you are using the Fabric peer CLI, you can use the --init-required flag when you approve and commit the chaincode definition to indicate that the Init function must be called to initialize the new chaincode version. To call Init using the Fabric peer CLI, use the peer chaincode invoke command and pass the --isInit flag.

The private data describes how you can protect the TLS certificate when you initialise the chaincode.

Alternatively, if you don't want to use an init transaction or store the TLS certificate on the ledger/in a private data collection, you could provide the TLS certificate using transient data to every transaction which needs to communicate with the vault and leave it to the client to manage the certificate.