AlexCav
Reputation: 31
SSL: CERTIFICATE_VERIFY_FAILED : certificate verify failed: self-signed certificate (_ssl.c:1007)'))) - Hyperledger Fabric
PLEASE HELP ME
For days I haven't been able to understand why I can't configure my hyperledger fabric network with secure SSL communication, due to certificate errors.
I provide you with all the files I use:
network.json (config file for the network)
{
"name": "Modbus2Chain",
"description": "Modbus2Chain Project course for IoT security and Data security",
"version": "0.1",
"client": {
"organization": "Org1",
"credentialStore": {
"path": "/tmp/hfc-kvs",
"cryptoStore": {
"path": "/tmp/hfc-cvs"
},
"wallet": "wallet-name"
}
},
"organizations": {
"orderer0.modbus2chain.com":{
"mspid":"OrdererMSP",
"orderers": [
"orderer.modbus2chain.com"
],
"certificateAuthorities": [
"ca-orderer"
],
"users": {
"Admin": {
"cert": "../crypto-material/ordererOrganizations/modbus2chain.com/users/[email protected]/msp/signcerts/[email protected]",
"private_key": "../crypto-material/ordererOrganizations/modbus2chain.com/users/[email protected]/msp/keystore/priv_sk"
}
}
},
"org1.modbus2chain.com": {
"mspid": "Org1MSP",
"peers": [
"peer0.org1.modbus2chain.com"
],
"certificateAuthorities": [
"ca-org1"
],
"users": {
"Admin": {
"cert": "../crypto-material/peerOrganizations/org1.modbus2chain.com/users/[email protected]/msp/signcerts/[email protected]",
"private_key": "../crypto-material/peerOrganizations/org1.modbus2chain.com/users/[email protected]/msp/keystore/priv_sk"
}
}
},
"org2.modbus2chain.com": {
"mspid": "Org2MSP",
"peers": [
"peer0.org2.modbus2chain.com"
],
"certificateAuthorities": [
"ca-org2"
],
"users": {
"Admin": {
"cert": "../crypto-material/peerOrganizations/org2.modbus2chain.com/users/[email protected]/msp/signcerts/[email protected]",
"private_key": "../crypto-material/peerOrganizations/org2.modbus2chain.com/users/[email protected]/msp/keystore/priv_sk"
}
}
},
"org3.modbus2chain.com": {
"mspid": "Org3MSP",
"peers": [
"peer0.org3.modbus2chain.com"
],
"certificateAuthorities": [
"ca-org3"
],
"users": {
"Admin": {
"cert": "../crypto-material/peerOrganizations/org3.modbus2chain.com/users/[email protected]/msp/signcerts/[email protected]",
"private_key": "../crypto-material/peerOrganizations/org3.modbus2chain.com/users/[email protected]/msp/keystore/priv_sk"
}
}
}
},
"orderers": {
"orderer0.modbus2chain.com": {
"url": "localhost:7050",
"grpcOptions": {
"grpc.ssl_target_name_override": "orderer.modbus2chain.com",
"grpc-max-send-message-length": 15
},
"tlsCACerts": {
"path": "../crypto-material/ordererOrganizations/modbus2chain.com/tlsca/tlsca.modbus2chain.com-cert.pem"
}
}
},
"peers": {
"peer0.org1.modbus2chain.com": {
"url": "localhost:7051",
"eventUrl": "localhost:7051",
"grpcOptions": {
"grpc.ssl_target_name_override": "peer0.org1.modbus2chain.com",
"grpc.http2.keepalive_time": 15
},
"tlsCACerts": {
"path": "../crypto-material/peerOrganizations/org1.modbus2chain.com/peers/peer0.org1.modbus2chain.com/msp/tlscacerts/tlsca.org1.modbus2chain.com-cert.pem"
}
},
"peer0.org2.modbus2chain.com": {
"url": "localhost:8051",
"eventUrl": "localhost:8051",
"grpcOptions": {
"grpc.ssl_target_name_override": "peer0.org2.modbus2chain.com",
"grpc.http2.keepalive_time": 15
},
"tlsCACerts": {
"path": "../crypto-material/peerOrganizations/org2.modbus2chain.com/peers/peer0.org2.modbus2chain.com/msp/tlscacerts/tlsca.org2.modbus2chain.com-cert.pem"
}
},
"peer0.org3.modbus2chain.com": {
"url": "localhost:8052",
"eventUrl": "localhost:8052",
"grpcOptions": {
"grpc.ssl_target_name_override": "peer0.org3.modbus2chain.com",
"grpc.http2.keepalive_time": 15
},
"tlsCACerts": {
"path": "../crypto-material/peerOrganizations/org3.modbus2chain.com/peers/peer0.org3.modbus2chain.com/msp/tlscacerts/tlsca.org3.modbus2chain.com-cert.pem"
}
}
},
"certificateAuthorities": {
"ca-org1": {
"url": "https://localhost:9050",
"grpcOptions": {
"verify": false
},
"tlsCACerts": {
"path": "/home/alexcav/go/src/GitHub/Modbus2Chain/crypto-material/peerOrganizations/org1.modbus2chain.com/ca/ca.org1.modbus2chain.com-cert.pem"
},
"registrar": [
{
"enrollId": "admin",
"enrollSecret": "adminpw"
}
]
},
"ca-org2": {
"url": "https://localhost:8051",
"grpcOptions": {
"verify": true
},
"tlsCACerts": {
"path": "../crypto-material/peerOrganizations/org2.modbus2chain.com/ca/org2.modbus2chain.com-cert.pem"
},
"registrar": [
{
"enrollId": "admin",
"enrollSecret": "adminpw"
}
]
},
"ca-org3": {
"url": "https://localhost:8052",
"grpcOptions": {
"verify": true
},
"tlsCACerts": {
"path": "../crypto-material/peerOrganizations/org3.modbus2chain.com/ca/org3.modbus2chain.com-cert.pem"
},
"registrar": [
{
"enrollId": "admin",
"enrollSecret": "adminpw"
}
]
}
}}
Here are the configurations of the Docker containers, for the CA and for the organizations (I provide one to give you an idea):
ca-org1:
version: "3.8"
volumes:
ca-org1.modbus2chain.com:
networks:
apnet:
services:
ca-org1:
container_name: ca-org1.modbus2chain.com
image: hyperledger/fabric-ca
volumes:
- ../crypto-material/caOrganizations/ca-org1.modbus2chain.com/ca/:/etc/hyperledger/fabric-ca-server
- ca-org1.modbus2chain.com:/var/hyperledger/fabric-ca-server-config
- ../crypto-material/peerOrganizations/org1.modbus2chain.com/tlsca:/etc/hyperledger/fabric-ca-server/tlsca
environment:
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CA_NAME=ca-org1.modbus2chain.com
- FABRIC_CA_SERVER_CSR_CN=rca-org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server/tlsca/tlsca.org1.modbus2chain.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server/tlsca/priv_sk
working_dir: /etc/hyperledger/fabric-ca-server
command: /bin/bash -c 'fabric-ca-server start -d -b admin:adminpw --port 9050'
ports:
- 9050:9050
networks:
- apnet
org1:
version: "3.8"
volumes:
peer0.org1.modbus2chain.com:
networks:
apnet:
services:
peer0.org1.modbus2chain.com:
networks:
- apnet
container_name: peer0.org1.modbus2chain.com
image: hyperledger/fabric-peer:2.1
volumes:
- ../crypto-material/peerOrganizations/org1.modbus2chain.com/peers/peer0.org1.modbus2chain.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-material/peerOrganizations/org1.modbus2chain.com/peers/peer0.org1.modbus2chain.com/tls:/etc/hyperledger/fabric/tls
- peer0.org1.modbus2chain.com:/var/hyperledger/production
environment:
# Generic peer variables
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Specific peer variables
- CORE_PEER_ID=peer0.org1.modbus2chain.com
- CORE_PEER_ADDRESS=peer0.org1.modbus2chain.com:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.modbus2chain.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.modbus2chain.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
ports:
- 7051:7051
This is the python code I'm trying to run. I'm using the hyperledger-fabric-py SDK and here is where I instantiate the ca_service to register a new user via my admin:
import os
from hfc.fabric import Client
from hfc.fabric_ca import CAClient
from hfc.util.crypto.crypto import ecies
from hfc.fabric_network.wallet import FileSystenWallet
from hfc.fabric_ca.caservice import ca_service
cli = Client(net_profile="network.json")
org1_admin = cli.get_user(org_name='org1.modbus2chain.com', name='Admin')
print( org1_admin._enrollment)
ca_certs_path="/home/alexcav/go/src/GitHub/Modbus2Chain/crypto-material/caOrganizations/ca-org1.modbus2chain.com/ca/ca-cert.pem"
casvc = ca_service(target="https://localhost:9050", ca_certs_path=ca_certs_path)
adminEnrollment = casvc.enroll("admin","adminpw")
secret = adminEnrollment.register("user1")
user1Enrollment = casvc.enroll("user1", "userpw")
When the code gets to:
casvc = ca_service(target="https://localhost:9050", ca_certs_path=ca_certs_path), I get this ERROR. I leave it complete below:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/connection.py", line 419, in connect
self.sock = ssl_wrap_socket(
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1071, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/requests-2.28.2-py3.10.egg/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/connectionpool.py", line 787, in urlopen
retries = retries.increment(
File "/usr/local/lib/python3.10/dist-packages/urllib3-1.26.15-py3.10.egg/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=9050): Max retries exceeded with url: /enroll (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/alexcav/go/src/GitHub/Modbus2Chain/app/fabric.py", line 19, in <module>
adminEnrollment = casvc.enroll("admin","adminpw") # now local will have the admin enrollment
File "/usr/local/lib/python3.10/dist-packages/fabric_sdk_py-0.9.0-py3.10.egg/hfc/fabric_ca/caservice.py", line 484, in enroll
enrollmentCert, caCertChain = self._ca_client.enroll(
File "/usr/local/lib/python3.10/dist-packages/fabric_sdk_py-0.9.0-py3.10.egg/hfc/fabric_ca/caservice.py", line 328, in enroll
res, st = self._send_ca_post(path='enroll',
File "/usr/local/lib/python3.10/dist-packages/fabric_sdk_py-0.9.0-py3.10.egg/hfc/fabric_ca/caservice.py", line 254, in _send_ca_post
r = requests.post(url=self._base_url + path, **param)
File "/usr/local/lib/python3.10/dist-packages/requests-2.28.2-py3.10.egg/requests/api.py", line 115, in post
return request("post", url, data=data, json=json, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/requests-2.28.2-py3.10.egg/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/requests-2.28.2-py3.10.egg/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.10/dist-packages/requests-2.28.2-py3.10.egg/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/requests-2.28.2-py3.10.egg/requests/adapters.py", line 563, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=9050): Max retries exceeded with url: /enroll (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)')))
I appreciate any form of help. Thanks in advance to everyone.
Upvotes: 1
Views: 578
Answers (0)
Related Questions
- pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"
- Hyperledger Fabric CA Certificate Error with Fabric Samples deployment
- insert data as bulk hyperledger fabric
- Cannot create container for service peer0.org2.example.com: create .: volume name is too short, names should be at least two alphanumeric characters
- why is byfn just invoked on two peers (hyperledger fabric)?
- Orderer not created