Nik
Reputation: 1
Fail to add orderer to a channel with v2.3 version. cannot join: consenter has invalid certificate
Can not add an orderer (the first) to a new channel.
Relevant part of the configtx.yaml:
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer0.ea.jedo.dev:52111
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 500
AbsoluteMaxBytes: 10 MB
PreferredMaxBytes: 2 MB
MaxChannels: 0
EtcdRaft:
Consenters:
- Host: orderer0.ea.jedo.dev
Port: 52111
ClientTLSCert: /mnt/user/appdata/jedo-dev/infrastructure/jedo.dev/ea.jedo.dev/orderer0.ea.jedo.dev/tls/signcerts/cert.pem
ServerTLSCert: /mnt/user/appdata/jedo-dev/infrastructure/jedo.dev/ea.jedo.dev/orderer0.ea.jedo.dev/tls/signcerts/cert.pem
The error:
cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: consenter orderer0.ea.jedo.dev:52111 has invalid certificate: verifying tls client cert with serial number 476849446703276711239976078033593615908192861227: x509: certificate signed by unknown authority
The cert.pem:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
53:86:ab:30:fb:28:97:20:50:8d:88:13:f6:28:85:1a:8d:7f:3c:2b
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = JD, ST = Dev, O = JEDO, OU = Root, CN = tls.jedo.dev
Validity
Not Before: Dec 8 18:47:00 2024 GMT
Not After : Dec 8 18:52:00 2025 GMT
Subject: C = jd, ST = dev, O = ea, OU = jedo + OU = root + OU = client, CN = orderer0.ea.jedo.dev
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:6c:a9:38:08:59:83:da:1c:53:fc:ce:b9:d9:95:
46:4f:5e:ee:ff:b4:d0:6a:53:34:14:0a:02:6d:4c:
19:9a:d1:d4:8a:47:cd:5b:66:e7:76:a5:a2:db:95:
8d:f6:43:4d:2b:08:fc:c0:90:1f:04:30:d1:94:5c:
9c:2f:3c:20:4b:be:02:b0:1a:dc:85:a2:d6:d9:6b:
25:2e:7a:55:25:49:90:1b:9f:c4:eb:47:c5:6b:a8:
15:d3:72:6b:88:1b:18
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
DF:56:1B:8E:7E:52:24:9C:05:7D:75:28:8A:33:57:68:F2:3E:A0:01
X509v3 Authority Key Identifier:
3F:1B:02:D5:7A:5F:94:BE:79:24:41:F2:5B:C4:D2:81:78:4B:02:06
X509v3 Subject Alternative Name:
DNS:orderer0.ea.jedo.dev, DNS:*.jedo.dev, DNS:*.jedo.me, IP Address:172.25.2.11
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"jedo.root","hf.EnrollmentID":"orderer0.ea.jedo.dev","hf.Type":"client"}}
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:31:00:a7:02:fa:81:8b:90:6e:be:af:35:a3:3f:34:
54:a6:e0:c6:6f:63:d4:91:63:0a:c7:48:81:04:f0:74:2d:92:
a1:fe:9e:20:2b:cd:94:91:57:ae:ed:80:9e:32:17:da:e6:02:
30:7b:93:4f:93:03:11:c3:77:38:4f:89:9c:73:0e:af:39:a0:
3f:b4:66:5c:1e:6d:7c:03:72:2e:f9:05:bc:1e:7a:51:0b:76:
53:eb:86:ca:31:fb:56:fe:f4:b0:82:c8:5e
And the tls-ca-cert.pem:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:fb:97:dd:76:a2:17:9c:df:28:5e:78:8a:03:d5:0c:44:c1:66:ee
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = JD, ST = Dev, O = JEDO, OU = Root, CN = tls.jedo.dev
Validity
Not Before: Dec 8 18:47:00 2024 GMT
Not After : Dec 5 18:47:00 2039 GMT
Subject: C = JD, ST = Dev, O = JEDO, OU = Root, CN = tls.jedo.dev
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:8c:ce:14:39:0a:b8:73:31:47:61:05:dc:e2:bb:
98:81:73:79:ba:ce:12:e8:a4:eb:8e:be:22:2e:bf:
ce:2c:5e:42:57:8b:56:64:a9:d0:e3:44:d4:8f:06:
ed:d6:5c:97:87:d7:31:68:bd:fc:1d:41:1b:20:33:
55:5a:08:41:64:41:45:f5:60:2a:52:1d:7c:1f:14:
2f:e9:7c:7b:37:3c:5f:65:a3:aa:e8:10:6b:63:e0:
cd:53:99:d2:7a:f9:aa
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
3F:1B:02:D5:7A:5F:94:BE:79:24:41:F2:5B:C4:D2:81:78:4B:02:06
X509v3 Subject Alternative Name:
IP Address:172.25.1.3
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:64:02:30:0b:c0:19:ef:ed:ee:9c:83:93:f8:31:ff:a1:34:
48:70:01:5d:eb:33:7e:00:07:fb:9c:67:3c:be:30:8a:73:68:
73:4a:45:d7:94:ee:70:b8:1d:ab:e5:69:7a:07:b8:9c:02:30:
3e:aa:ba:d7:9d:2d:40:3a:47:23:d7:a3:cb:e2:34:30:0b:01:
f4:c5:bd:f4:3f:46:38:7c:ab:22:69:26:3e:ef:bb:fd:50:d6:
1e:f0:e9:82:cd:57:16:65:19:a1:64:88
Very strange: The serial number in the error does not match any of my generated certificates and is far longer than a "normal" serial number...
The tls-ca-cert is here: /mnt/user/appdata/jedo-dev/infrastructure/jedo.dev/ea.jedo.dev/orderer0.ea.jedo.dev/tls/tlscacerts/tls-ca-cert.pem
How does osnadmin know, where to find the ca-cert according to a simple certificate? Everywhere in the config, I can add a root-ca-parameter.
Upvotes: 0
Views: 14
Answers (0)
Related Questions
- Hyperledger Fabric - Fail to add orderer to a channel with v2.3 version. cannot join: failed to determine cluster membership from join-block
- Fail to add the first orderer to a channel. Error: invalid join block: cannot enable channel capabilities without orderer support first
- TLS handshake failed with error remote error: tls: bad certificate server=Orderer
- Can I use `peer channel fetch config` with only orderer nodes, no peer nodes?
- New RAFT orderer cannot detect that it belongs to an application channel
- Kafka gives Invalid receive size with Hyperledger Fabric Orderer connection
- Hyperledger Fabric: 'Orderer' has invalid keys: EtcdRaft
- Setting PEM attributes for user identities in Hyperledger Fabric
- Hyperledger fabric network(1.1.0) cannot create a channel between a peer and an orderer
- How to add authority control when join channel