Nik
Reputation: 1
Fabric CA: fresh enrolled admin can not register new identity: Certificate not found
After enrolled the bootstrap ID of a new Fabric-CA, I can not register any identity
The CA-Server logs:
72.25.1.9:37754 POST /register 401 30 "Certificate not found with AKI '939a02fd90b4066bea2bc757ec3756f6aac5208d' and serial '29e3a92ebe2d5deccae9fb0a9dbcc8ce81d9480'"
ORBIS ist my Root-Org-CA and REGNUM an intermediate-Org-CA.
After CA starts, I enroll the bootstrap ID as follows:
docker exec -it $ORBIS_TOOLS_NAME fabric-ca-client enroll -u https://$REGNUM_CA_NAME:$REGNUM_CA_PASS@$ORBIS_CA_NAME:$ORBIS_CA_PORT \
--home $ORBIS_TOOLS_CACLI_DIR \
--tls.certfiles tls-root-cert/tls-ca-cert.pem \
--enrollment.profile ca \
--mspdir $HOST_INFRA_DIR/$REGNUM/$REGNUM_CA_NAME/keys/msp \
--csr.hosts ${REGNUM_CA_NAME},${REGNUM_CA_IP},${ORBIS_CA_NAME},${ORBIS_CA_IP},${ORBIS_TLS_NAME},${ORBIS_TLS_IP},*.jedo.dev
This was confirmed by CA-CLI:
2024-11-12 20:06:03.406 UTC 0001 DEBU [bccsp_sw] createKeyStore -> Creating KeyStore at [/etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/keystore]...
2024-11-12 20:06:03.407 UTC 0002 DEBU [bccsp_sw] createKeyStore -> KeyStore created at [/etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/keystore].
2024-11-12 20:06:03.407 UTC 0003 DEBU [bccsp_sw] openKeyStore -> KeyStore opened at [/etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/keystore]...done
2024/11/12 20:06:03 [INFO] TLS Enabled
2024/11/12 20:06:03 [INFO] generating key: &{A:ecdsa S:384}
2024/11/12 20:06:03 [INFO] encoded CSR
2024/11/12 20:06:03 [INFO] Stored client certificate at /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/signcerts/cert.pem
2024/11/12 20:06:03 [INFO] Stored root CA certificate at /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/cacerts/ca-jedo-dev-51041.pem
2024/11/12 20:06:03 [INFO] Stored Issuer public key at /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/IssuerPublicKey
2024/11/12 20:06:03 [INFO] Stored Issuer revocation public key at /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/IssuerRevocationPublicKey
The next statement is try to register a random ID:
docker exec -it $ORBIS_TOOLS_NAME fabric-ca-client register -u https://$REGNUM_CA_NAME:$REGNUM_CA_PASS@$REGNUM_CA_NAME:$REGNUM_CA_PORT \
--home $ORBIS_TOOLS_CACLI_DIR \
--tls.certfiles tls-root-cert/tls-ca-cert.pem \
--mspdir $HOST_INFRA_DIR/$REGNUM/$REGNUM_CA_NAME/keys/msp \
--id.name irgendwer --id.secret Test1 --id.type client --id.affiliation jedo.root
Where the CA-Server logs:
2024/11/12 20:12:56 [DEBUG] Received request for /register
2024/11/12 20:12:56 [DEBUG] Caller is using a x509 certificate
2024/11/12 20:12:56 [DEBUG] Certicate Dates: NotAfter = 2025-11-12 20:06:00 +0000 UTC NotBefore = 2024-11-12 20:01:00 +0000 UTC
2024/11/12 20:12:56 [DEBUG] Checking for revocation/expiration of certificate owned by 'ca.tws.jedo.dev'
2024/11/12 20:12:56 [DEBUG] DB: Get certificate by serial (29e3a92ebe2d5deccae9fb0a9dbcc8ce81d9480) and aki (939a02fd90b4066bea2bc757ec3756f6aac5208d)
2024/11/12 20:12:56 [INFO] 172.25.1.9:37754 POST /register 401 30 "Certificate not found with AKI '939a02fd90b4066bea2bc757ec3756f6aac5208d' and serial '29e3a92ebe2d5deccae9fb0a9dbcc8ce81d9480'"
I found the certificate with a script:
./scripts/temp.sh
Zertifikat gefunden: /mnt/user/appdata/jedo-dev/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/signcerts/cert.pem
It looks like this:
openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:9e:3a:92:eb:e2:d5:de:cc:ae:9f:b0:a9:db:cc:8c:e8:1d:94:80
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=JD, ST=Dev, O=JEDO, OU=Root, CN=ca.jedo.dev
Validity
Not Before: Nov 12 20:01:00 2024 GMT
Not After : Nov 12 20:06:00 2025 GMT
Subject: C=JD, ST=Dev, O=JEDO, OU=jedo+OU=root+OU=client, CN=ca.tws.jedo.dev
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:20:3d:be:2e:93:68:b7:3f:4a:d9:95:46:84:87:
87:6d:54:16:af:74:0f:f8:b8:08:29:17:1e:d2:50:
98:a6:91:8a:16:b9:e1:23:12:7f:9a:ff:32:33:d8:
bb:20:cf:dc:44:c7:3e:63:1c:d8:17:a2:ed:53:d0:
02:5a:0d:f6:ea:70:7c:e4:2b:2e:08:43:98:12:28:
57:32:67:c9:3d:ad:24:f2:74:0d:9b:3a:dc:92:40:
21:e3:dc:37:a9:96:39
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
19:8A:D5:8E:F8:DD:F7:9E:81:D4:22:2F:1D:29:2D:4D:E8:EF:8A:75
X509v3 Authority Key Identifier:
93:9A:02:FD:90:B4:06:6B:EA:2B:C7:57:EC:37:56:F6:AA:C5:20:8D
X509v3 Subject Alternative Name:
IP Address:172.25.2.4, IP Address:172.25.1.4, IP Address:172.25.1.3
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"jedo.root","hf.EnrollmentID":"ca.tws.jedo.dev","hf.Type":"client"}}
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:31:00:d2:30:ab:bc:8f:da:fd:7d:21:d0:f5:3f:b3:
a4:19:c4:75:61:07:cb:7e:a5:06:b1:ac:76:83:1d:c5:2f:14:
b1:4b:9c:d4:39:38:32:a2:62:11:16:b3:56:9a:76:39:64:02:
30:70:bc:03:dc:f4:5f:07:ac:ae:75:07:ba:73:51:5c:e9:51:
7b:46:32:02:6e:be:78:63:b3:13:54:e6:08:4f:a8:ec:b7:32:
a1:01:69:ae:bf:27:7f:6d:7b:5c:ab:50:04
AKI and Serial match...
You have to know, I use unraid with docker. So unraids /mnt/user/appdata/jedo-dev/ is dockers /etc/
An here a part of the fabric-ca-server-config.yaml:
version: 0.0.1
port: 52041
debug: true
tls:
enabled: true
certfile: /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/tls/signcerts/cert.pem
keyfile: /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/tls/keystore/f3abd5d89b7d8f0902c7f36762517148bffb2c470b0793af31e8e9740bae4251_sk
clientauth:
type: noclientcert
certfiles:
ca:
name: ca.tws.jedo.dev
certfile: /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/signcerts/cert.pem
keyfile: /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/keystore/456fead10e362c055e4e2a387fb09e201a9c864124791ef63ef4f97ca0467d88_sk
chainfile: /etc/infrastructure/TWS/ca.tws.jedo.dev/keys/msp/intermediatecerts/ca-chain.pem
I checked if the file is really there...:
root@JenzinerUnraid:/mnt/user/appdata/jedo-dev# ls -l ./infrastructure/TWS/ca.tws.jedo.dev/keys/msp/signcerts/cert.pem
-rwxrwxrwx 1 root root 1078 Nov 12 12:06 ./infrastructure/TWS/ca.tws.jedo.dev/keys/msp/signcerts/cert.pem*
So my question is: why cant the CA-Server find his certificate when it is in the given mspdir, exactly the same as in the enroll before...
What I am missing? To many trees in the forest ;-)
I assume it has to do with ca-chain.pem or the intermediate-config, because any operation with Root-CA is working fine. The relevant part of the config.yaml:
csr:
cn:
keyrequest:
algo: ecdsa
size: 384
names:
- C: JD
ST: Dev
L:
O: JEDO
OU: Root
hosts:
- ca.tws.jedo.dev
- 172.25.2.4
ca:
expiry: 131400h
pathlength: 1
intermediate:
parentserver:
url: https://ca.jedo.dev:[email protected]:51041
caname: ca.jedo.dev
enrollment:
hosts:
- ca.jedo.dev
- 172.25.1.4
- '*.jedo.dev'
profile: ca
Upvotes: 0
Views: 12
Answers (0)
Related Questions
- MSPs for 2 of the PeerOrganizations are not being generated
- Hyperledger Fabric - external chaincode with TLS from fabric-ca
- How can you reenroll an admin certificate for a Hyperledger Fabric peer if it is already expired
- Cannot update fabric channel config using new admin identity
- Run intermediate CA with TLS enabled: connection to root CA refused
- MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority Hyperledger Fabric
- Error - "Too many intermediates for path length constraint" when register new identity
- Hyperledger Fabric CA: x509: certificate is valid for rca-ord, not localhost