hyperledger / fabric-ca Goto Github PK

View Code? Open in Web Editor NEW

437.0 47.0 712.0 38.49 MB

Home Page: https://wiki.hyperledger.org/display/fabric

License: Apache License 2.0

Makefile 0.59% Go 81.65% Shell 17.56% Dockerfile 0.20%

blockchain distributed-ledger hyperledger

fabric-ca's Introduction

Fabric CA Developer's Guide

This is the Developer's Guide for Fabric CA, which is a Certificate Authority for Hyperledger Fabric.

Fabric CA can issue enrollment certificates and TLS certificates for Hyperledger Fabric deployments.

See the Fabric Getting Started Guide for information on how to install and use Fabric CA with Hyperledger Fabric sample networks.

See the Fabric CA User's Guide, Operations Guide, and Deployment Guide for detailed information on how to use and deploy Fabric CA.

The remainder of this guide is intended for developers contributing to Fabric CA.

Prerequisites

Go 1.20+ installation or later
docker version 17.03 or later
docker-compose version 1.11 or later

Contribution guidelines

You are welcome to contribute to Fabric CA!

The following are guidelines to follow when contributing:

See the general information about contributing to fabric.
To run the unit tests manually:
```
# cd $GOPATH/src/github.com/hyperledger/fabric-ca
# make unit-tests
```
The test coverage for each package must be 75% or greater. If this fails due to insufficient test coverage, then you can run gencov to get a coverage report to see what code is not being tested. Once you have added additional test cases, you can run go test -cover in the appropriate package to see the current coverage level.

WARNING: Running the unit-tests may fail due to too many open file descriptors. Depending on where the failure occurs, the error message may not be obvious and may only say something similar to "unable to open database file". Depending on the settings on your host, you may need to increase the maximum number of open file descriptors. For example, the OSX default per-process maximum number of open file descriptors is 256. You may issue the following command to display your current setting:
```
# ulimit -n
256
```
And the following command will increase this setting to 65536:
```
# ulimit -n 65536
```
Please note that this change is only temporary. To make it permanent, you will need to consult the documentation for your host operating system.

Package overview

cmd/fabric-ca-server contains the main for the fabric-ca-server command.
cmd/fabric-ca-client contains the main for the fabric-ca-client command.
lib contains most of the code. a) server.go contains the main Server object, which is configured by serverconfig.go. b) client.go contains the main Client object, which is configured by clientconfig.go.
util/csp.go contains the Crypto Service Provider implementation.
lib/dbutil contains database utility functions.
lib/ldap contains LDAP client code.
lib/spi contains Service Provider Interface code for the user registry.
lib/tls contains TLS related code for server and client.
util contains various utility functions.

Additional info

FVT

See FVT tests for information on functional verification test cases.

Updating the cfssl vendored package

Following are the steps to update cfssl package using version 1.0.8 of govendor tool.

Remove cfssl from vendor folder
- cd $GOPATH/src/github.com/hyperledger/fabric-ca/vendor
- govendor remove github.com/cloudflare/cfssl/...
- rm -rf github.com/cloudflare/cfssl/
Clone cfssl repo
- cd $GOPATH/src/github.com/
- mkdir cloudflare
- cd cloudflare
- git clone https://github.com/cloudflare/cfssl.git
Add cfssl from $GOPATH to the vendor folder
- cd $GOPATH/src/github.com/hyperledger/fabric-ca/vendor
- govendor add github.com/cloudflare/cfssl/^
- You can optionally specify revision or tag to add a particular revision of code to the vendor folder
  - govendor add github.com/cloudflare/cfssl/^@abc12032
Remove sqlx package from cfssl vendor folder. This is because certsql.NewAccessor (called by fabric-ca) requires sqlx.db object to be passed from the same package. If we were to have sqlx package both in fabric-ca and cfssl vendor folder, go compiler will throw an error
- rm -rf github.com/cloudflare/cfssl/vendor/github.com/jmoiron/sqlx
Remove the packages that are added to the fabric-ca vendor folder that are not needed by fabric-ca

License

Hyperledger Project source code files are made available under the Apache License, Version 2.0 (Apache-2.0), located in the LICENSE file. Hyperledger Project documentation files are made available under the Creative Commons Attribution 4.0 International License (CC-BY-4.0), available at http://creativecommons.org/licenses/by/4.0/.

fabric-ca's People

Contributors

Stargazers

Watchers

Forkers

ghaskins dreamfly281 irxyzzz zimuxin vpaprots xunavy ygjlovebl mffrench bandariwan radhna xiangyw luozijun peersafe machozhao sonyeric softfn minxinping0105 lihongjun zensus aaronali cryptobuks ai-iot saadk10 lifemagazine chenrui2014 tuxago dnguyenv topjohn prodda1 jiuzhuyou steveruckdashel blockcloud hintcnuie flomeworld warm3snow tricleoo rafizanbaharum georgeanu dolanor-galaxy moonspiritacm suddutt1 wangpan22 jjhartmann kutenglaoshu nickgaski mixbe qiang0723 krishvoor maybetomorrow akshaism sandy3lu kantkatze tssqzr sunilake civictesla ussrlord antoniovassell cheneyhsu czone-league ericseokgon lunaczp oceswang yanghongkjxy productivist nut41035 silveraid jianzi123 imrepo yangjinyong lakshmankashyap qqdao ledgerone lihaoguo wwjiang007 duoduolr www5460comnet tyhtao1990 qinzhao168 freedom99 abel1225 jieke-tao chain-ops heidsoft codetosurvive1 anyuncle llhl001 wlimtx evictorcys varunkashyap10 hacera-jonathan baofengsun mreddychitti halfwater warrenween 482solution lisiyuan891120 dongzhenh jaycotecrypto jakejeong adamantic-io

fabric-ca's Issues

Purge private data - Design and RFC

Idemix MSP Folder Structure incompatible with what Fabric expects

Currently, Fabric-CA generates an Idemix MSP folder structure and file content that Fabric is not able to load.
Namely:

The content of SignerConfig is encoded in json, Fabric expected proto
Fabric expects the revocation public key to be stored in a file named RevocationPublicKey and IdemixRevocationPublicKey.

This git issue is to fix the above issues.

fabric-ca unit tests failing - testdata/ec.pem expired

when check the testdata/ec.pem, I get
Validity
Not Before: Oct 12 19:31:00 2016 GMT
Not After : Oct 11 19:31:00 2021 GMT
which makes the unit-test fail.
And I noticed that the rsa.pem is about to expire in Oct 24 14:46:00 2021 GMT.
I did not check all the certs in testdata, maybe there is more.

Interoperability tests are failing with latest CA updates

PR #304 introduced a regression in the Node and Java SDK client libraries, as it altered the folder structures expected by the test suites and SDK client applications.

example test failure

Address this by reverting PR 304 and pushing the new folder structure updates into the Token/Smart Client SDKs.

Register the intermediate CA bootstrap identity with the organization (root) CA 403 Forbidden

./fabric-ca-client register -d -u https://org1rootcaadmin:[email protected]:7055 --id.name org1intermediatecaadmin --id.secret org1intermediatecaadminpw  --id.attrs '"hf.Registrar.Roles=user,admin","hf.Revoker=true","hf.IntermediateCA=true"' --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/org1rootcaadmin/msp

log content

2022/03/09 03:07:34 [INFO] 192.168.0.105:48152 POST /register 403 76 "Registration of 'org1intermediatecaadmin' failed"
2022/03/09 03:07:55 [DEBUG] Cleaning up expired nonces for CA 'org1-root-ca'
2022/03/09 03:09:27 [DEBUG] Received request for /register
2022/03/09 03:09:27 [DEBUG] Caller is using a x509 certificate
2022/03/09 03:09:27 [DEBUG] Certicate Dates: NotAfter = 2023-03-09 07:49:00 +0000 UTC NotBefore = 2022-03-09 07:41:00 +0000 UTC 
2022/03/09 03:09:27 [INFO] 192.168.0.105:48154 POST /register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server")"
2022/03/09 03:09:45 [DEBUG] Received request for /register
2022/03/09 03:09:45 [DEBUG] Caller is using a x509 certificate
2022/03/09 03:09:45 [DEBUG] Certicate Dates: NotAfter = 2023-03-09 07:53:00 +0000 UTC NotBefore = 2022-03-09 07:47:00 +0000 UTC 
2022/03/09 03:09:45 [DEBUG] Checking for revocation/expiration of certificate owned by 'org1rootcaadmin'
2022/03/09 03:09:45 [DEBUG] DB: Get certificate by serial (533f2c5a6619663debbad716a74be3cb577f1875) and aki (db3b6bd4a8420c090d3715e69803b5861391d2e7)
2022/03/09 03:09:45 [DEBUG] DB: Getting identity org1rootcaadmin
2022/03/09 03:09:45 [DEBUG] Successful token authentication of 'org1rootcaadmin'
2022/03/09 03:09:45 [DEBUG] Received registration request from org1rootcaadmin: { Name:org1intermediatecaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.Registrar.Roles user,admin false} {hf.Revoker true false} {hf.IntermediateCA true false}] CAName:  }
2022/03/09 03:09:45 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of ''
2022/03/09 03:09:45 [DEBUG] canRegister - Check to see if user 'org1rootcaadmin' can register
2022/03/09 03:09:45 [DEBUG] Checking to see if caller 'org1rootcaadmin' can act on type 'client'
2022/03/09 03:09:45 [DEBUG] Checking to see if caller 'org1rootcaadmin' is a registrar
2022/03/09 03:09:45 [DEBUG] Registrar is not allowed to register user 'org1intermediatecaadmin': Failed to verify if user can act on type: 'org1rootcaadmin' is not a registrar
2022/03/09 03:09:45 [INFO] 192.168.0.105:48156 POST /register 403 76 "Registration of 'org1intermediatecaadmin' failed"

documentation contains broken link

Hello,

I find "Download this chaincode" link from https://github.com/hyperledger/fabric-ca/blob/main/docs/source/operations_guide.rst#install-and-instantiate-chaincode is broken and the section refers to the unavailable /chaincode/abac/go chaincode. Could you check?

Thanks.

Problem replicating Fabric CA Operations Guide

I'm replicating this tutorial on a machine with centos and it works well till I've to start a the orderer, if I don't add a
https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#setup-cas
If I follow the instructions as it is, when submitting to the this CLI of ORG1

peer channel create -c mychannel -f /tmp/hyperledger/org1/peer1/assets/channel.tx -o orderer1-org0:7050 --outputBlock /tmp/hyperledger/org1/peer1/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem

I get the error:

2022-04-24 08:24:17.756 UTC [main] InitCmd -> ERRO 03b Cannot run peer because error when setting up MSP of type bccsp from directory /tmp/hyperledger/org1/admin/msp: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [org1MSP],The identity does not contain OU [ADMIN], MSP: [org1MSP]]

If I add a config.yaml file to the MSP folder as this https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#nodeous suggest it should I cannot even initiate the orderer with this error when I try to do docker-compose up

orderer1-org0 | 2022-04-24 08:15:40.373 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled
orderer1-org0 | 2022-04-24 08:15:40.445 UTC [orderer.common.server] Main -> PANI 005 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [org1MSP],The identity does not contain OU [ADMIN], MSP: [org1MSP]]
orderer1-org0 | panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [org1MSP],The identity does not contain OU [ADMIN], MSP: [org1MSP]]

I'm not seeing how to solve this issue.
on version 2.2 it is mentioned when deploying an orderer mention a different but possible related PANI 005:
https://hyperledger-fabric.readthedocs.io/en/release-2.2/deployorderer/ordererdeploy.html
but the solution is just creating the config.yaml and it's not working

Solution:
The system channel configuration is missing config.yaml file. If you are creating a new ordering service, the MSPDir referenced in configtx.yaml file is missing the config.yaml file. Follow instructions in the Fabric CA documentation to generate this file and then rerun configtxgen to regenerate the genesis block for the system channel.

thanks

fabric-ca-server linux binary doesn't run on Ubuntu 18.04

The fabric-ca-server has a dependency on glibc 2.28, so when trying to run it you get

/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by bin/fabric-ca-server)

The problem is likely because the binary has been built on a much newer version of ubuntu (possibly 20.04) but by doing so means it cannot be used on older LTS versions of ubuntu and is likely to be a problem for other distros as well.

Problem building fabric-ca-client on arm64

It appears that there are some architecture conflicts here:

% make fabric-ca-client
# golang.org/x/sys/unix
vendor/golang.org/x/sys/unix/syscall_darwin.1_13.go:29:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.1_13.go:27:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.1_13.go:40:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:28:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:43:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:59:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:75:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:90:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:105:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:121:3: //go:linkname must refer to declared function or variable
vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go:121:3: too many errors

I can definitely help resolve these, but would need some help to get into the code here. Can you advise as to why these arch dependencies would exist?

My environment:
GOARCH="arm64"
GOOS="darwin"
GOVERSION="go1.18.2"
CGO_ENABLED="1"

fabric-ca-client and fabric-ca-server build fails on s390x in v1.5.7 - likely due to commit d575f40e

My builds of fabric-ca-client and fabric-ca-server on s390x (for both native binary and Docker image) are failing with Fabric-ca release v1.5.7. They succeeded in v.1.5.6. The builds appear to have broken after commit d575f40 which changed the mathlib dependency. (Things work with the commit immediately prior to d575f40).

Here are some commands that show my environment and the steps to reproduce the error. Error is shown for the fabric-ca-client native build failure- similar error occurs for fabric-ca-server native build and for docker image build.

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ uname -a
Linux fabric01 5.4.0-159-generic #176-Ubuntu SMP Mon Aug 14 12:03:34 UTC 2023 s390x s390x s390x GNU/Linux

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ go version
go version go1.20.7 linux/s390x

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ git checkout v1.5.7
Previous HEAD position was d575f40e This PR brings the following: - prepare the revocation handle as expected by the idemix lib - idemix: export revocation handle in SignerConfig - update idemix and mathlib dep - add logs to idemix issuer - doc update
HEAD is now at 86c6b463 Release commit for v1.5.7

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ make fabric-ca-client
Building fabric-ca-client in bin directory ...
# github.com/IBM/mathlib/driver/kilic
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:137:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:148:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:152:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:155:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:156:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:158:2: undefined: mul
vendor/github.com/IBM/mathlib/driver/kilic/custom.go:327:2: undefined: mul
make: *** [Makefile:106: bin/fabric-ca-client] Error 1

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ git checkout v1.5.6
Previous HEAD position was 86c6b463 Release commit for v1.5.7
HEAD is now at 47a32f27 Release commit for v1.5.6 (#358)

barry@fabric01:~/go/src/github.com/silliman/fabric-ca$ make fabric-ca-client
Building fabric-ca-client in bin directory ...
Built bin/fabric-ca-client

Link for 1.5.0 Linux binaries is broken

Linux binaries for 1.5.0 were available here
https://github.com/hyperledger/fabric-ca/releases/download/v1.5.0/hyperledger-fabric-ca-linux-amd64-1.5.0.tar.gz
This link is broken now

Identity Mixer: Using IBM/mathlib instead of AMCL

Currently, the Identity Mixer (hereafter "idemix") implementation in fabric-CA uses an implementation from an old incarnation of Fabric.
Nowadays, Fabric doesn't contain an implementation of idemix and instead, it imports the official IBM implementation.

There are several problems with the current state of affairs:

Fabric-CA is essentially using an Idemix version that doesn't exist anymore (it was removed in this PR), and thus is no longer maintained.
The official idemix implementation supports several elliptic curve and finite field packages, such as the efficient BN254 implementation of gnark-crypto. This flexibility is due to using Mathlib which is an abstraction layer on top of various elliptic curve and finite field arithmetic packages. In contrast, Fabric-CA is restricted to a specific implementation and hardcodes its usage throughout its code.

Fabric-CA is the main tool for issuance of idemix credentials, and it currently restricts consumers of it to a specific elliptic curve and finite field package, while idemix itself can support a wider variety of credentials (for other elliptic curve and finite field packages).

What I propose is to refactor Fabric-CA such that it will use Mathlib, in alignment to the Fabric idemix implementation.
Then, Fabric-CA could issue every idemix credential that the Fabric version of idemix can consume.

Another advantage of doing this, is that the aforementioned elliptic curve implementation of gnark-crypto is much faster than the current implementation used by Fabric-CA, and consumers of idemix could get a performance boost by using a different elliptic curve implementation.

I propose to add to the idemix configuration of the Fabric-CA server (and similarly in the client) the following key which will toggle between the available curve and finite field packages.

	CurveID                  string `def:"CurveID" skip:"true" help:"Name of the curve among {'amcl.Fp256bn', 'gurvy.Bn254', 'amcl.Fp256Miraclbn'}, defaults to 'amcl.Fp256bn'"`

The default curve, as mentioned above, will remain what Fabric-CA uses today, for backward compatibility.

Fabric ca getting started documentation is out of date

In the documentation for getting started the following is defined

Go 1.10+ installation
GOPATH environment variable is set correctly
libtool and libtdhl-dev packages are installed

However Go 1.16 is now required and GOPATH doesn't need to be set

In the install section it says to use

go get -u github.com/hyperledger/fabric-ca/cmd/...

This will fail due to a breaking api change in go-kit (see https://stackoverflow.com/questions/69565838/i-encountered-an-error-while-installing-fabric-ca-with-the-go-get-command)

One solution is to remove the -u option but I don't know if that would download, build and install a version using the exact same dependencies that the official builds use (anyone able to confirm ?)

The alternative would be to reference the official build packages instead ? (suggestions please)

Also the following text still refers to the master branch

Note: If you have already cloned the fabric-ca repository, make sure you are on the master branch before running the ‘go get’ command above. Otherwise, you might see the following error:

fabric-ca release 1.5 binary fails with sqlite3 error

When using the binary pulled from the release page in github, this error occurs.

2021/08/13 09:09:16 [ERROR] Error occurred initializing database: Failed to open sqlite3 DB: Binary was compiled with 'CGO_ENABLED=0', go-sqlite3 requires cgo to work. This is a stub

The docker image for this doesn't have the problem. Nor does rebuilding the code - that works correctly.

From either a locally build version, or from the docker image the version indicates go1.15

./bin/fabric-ca-server version
fabric-ca-server:
 Version: 1.5.1-snapshot-6d7c103a
 Go version: go1.15.7
 OS/Arch: linux/amd64

The version from the releases tgz file gives

fabric-ca-server:
 Version: 1.5.0
 Go version: go1.16
 OS/Arch: linux/amd64

Go 1.16 looks out-of-place as everything else is at node 1.15. Looking at the state of the repo at the time of the last release. I can't see how this would have been built with go 1.16. Of course there could be something else as well

This has been reported as well on stackoverlow
https://stackoverflow.com/questions/68221867/error-initializing-fabric-ca-server-go-sqlite3-requires-cgo-to-work

Fabric CA with postgres DB: register new user fails with Authorization failure

We have TLS CA and Organization CA(Root CA).

Configuration of TLS CA with postgres DB instance went fine. We are able to bootstrap admin and register our identities.
When configuring Organization CA, we are connecting to the same Postgres DB instance which is used by TLS CA.
We are able to bootstrap admin.
When registering a new user, it fails with "Authorization failure".
If we configure Org CA with a different postgres DB instance then register/enroll of new user goes fine.

Is there any restriction on having dedicated postgres DB for TLS CA and Org CA servers ?

Many issues on swagger.json

Hello,

When I use the swagger.fabric-ca.json on https://editor.swagger.io/, the tool displays many errors ( Structural & Semantic)

I put all errors below:

Structural error at definitions.identityInfo.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 37
Semantic error at definitions.identityInfo.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 37
Structural error at paths./api/v1/enroll.post.parameters.2.schema.properties.profile.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 262
Semantic error at paths./api/v1/enroll.post.parameters.2.schema.properties.profile.type
Schema "type" key must be a string
Jump to line 262
Structural error at paths./api/v1/enroll.post.parameters.2.schema.properties.label.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 269
Semantic error at paths./api/v1/enroll.post.parameters.2.schema.properties.label.type
Schema "type" key must be a string
Jump to line 269
Structural error at paths./api/v1/enroll.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 276
Semantic error at paths./api/v1/enroll.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 276
Structural error at paths./api/v1/idemix/cri.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 621
Semantic error at paths./api/v1/idemix/cri.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 621
Structural error at paths./api/v1/reenroll.post.parameters.2.schema.properties.profile.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 740
Semantic error at paths./api/v1/reenroll.post.parameters.2.schema.properties.profile.type
Schema "type" key must be a string
Jump to line 740
Structural error at paths./api/v1/reenroll.post.parameters.2.schema.properties.label.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 747
Semantic error at paths./api/v1/reenroll.post.parameters.2.schema.properties.label.type
Schema "type" key must be a string
Jump to line 747
Structural error at paths./api/v1/reenroll.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 754
Semantic error at paths./api/v1/reenroll.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 754
Structural error at paths./api/v1/register.post.parameters.2.schema.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 929
Semantic error at paths./api/v1/register.post.parameters.2.schema.properties.secret.type
Schema "type" key must be a string
Jump to line 929
Structural error at paths./api/v1/register.post.parameters.2.schema.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 936
Semantic error at paths./api/v1/register.post.parameters.2.schema.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 936
Structural error at paths./api/v1/register.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 972
Semantic error at paths./api/v1/register.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 972
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.id.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1091
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.id.type
Schema "type" key must be a string
Jump to line 1091
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.aki.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1098
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.aki.type
Schema "type" key must be a string
Jump to line 1098
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.serial.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1105
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.serial.type
Schema "type" key must be a string
Jump to line 1105
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.reason.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1112
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.reason.type
Schema "type" key must be a string
Jump to line 1112
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1119
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1119
Structural error at paths./api/v1/revoke.post.parameters.2.schema.properties.gencrl.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1126
Semantic error at paths./api/v1/revoke.post.parameters.2.schema.properties.gencrl.type
Schema "type" key must be a string
Jump to line 1126
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedafter.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1256
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedafter.type
Schema "type" key must be a string
Jump to line 1256
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedbefore.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1263
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.revokedbefore.type
Schema "type" key must be a string
Jump to line 1263
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expireafter.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1270
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expireafter.type
Schema "type" key must be a string
Jump to line 1270
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expirebefore.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1277
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.expirebefore.type
Schema "type" key must be a string
Jump to line 1277
Structural error at paths./api/v1/gencrl.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1284
Semantic error at paths./api/v1/gencrl.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1284
Structural error at paths./api/v1/affiliations.post.parameters.3.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1495
Semantic error at paths./api/v1/affiliations.post.parameters.3.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1495
Structural error at paths./api/v1/affiliations/{affiliation}.put.parameters.4.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1728
Semantic error at paths./api/v1/affiliations/{affiliation}.put.parameters.4.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 1728
Structural error at paths./api/v1/identities.get.responses.200.schema.properties.result.properties.identities.items.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 1956
Semantic error at paths./api/v1/identities.get.responses.200.schema.properties.result.properties.identities.items.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 1956
Structural error at paths./api/v1/identities.post.parameters.2.schema.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2093
Semantic error at paths./api/v1/identities.post.parameters.2.schema.properties.secret.type
Schema "type" key must be a string
Jump to line 2093
Structural error at paths./api/v1/identities.post.parameters.2.schema.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2100
Semantic error at paths./api/v1/identities.post.parameters.2.schema.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2100
Structural error at paths./api/v1/identities.post.parameters.2.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2136
Semantic error at paths./api/v1/identities.post.parameters.2.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 2136
Structural error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2173
Semantic error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.secret.type
Schema "type" key must be a string
Jump to line 2173
Structural error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2180
Semantic error at paths./api/v1/identities.post.responses.201.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2180
Structural error at paths./api/v1/identities/{id}.get.responses.200.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2325
Semantic error at paths./api/v1/identities/{id}.get.responses.200.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2325
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2458
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.secret.type
Schema "type" key must be a string
Jump to line 2458
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2465
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2465
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.attrs.items.properties.value.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2486
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.attrs.items.properties.value.type
Schema "type" key must be a string
Jump to line 2486
Structural error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.caname.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2503
Semantic error at paths./api/v1/identities/{id}.put.parameters.3.schema.properties.caname.type
Schema "type" key must be a string
Jump to line 2503
Structural error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.secret.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2535
Semantic error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.secret.type
Schema "type" key must be a string
Jump to line 2535
Structural error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2542
Semantic error at paths./api/v1/identities/{id}.put.responses.200.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2542
Structural error at paths./api/v1/identities/{id}.delete.responses.200.schema.properties.result.properties.max_enrollments.type
should be equal to one of the allowed values
allowedValues: array, boolean, integer, number, object, string
Jump to line 2692
Semantic error at paths./api/v1/identities/{id}.delete.responses.200.schema.properties.result.properties.max_enrollments.type
Schema "type" key must be a string
Jump to line 2692

Orderer port number in docker-compose.yaml

The orderer section in docker-compose.yaml does not have expected port number (7050) mentioned
(https://hyperledger-fabric-ca.readthedocs.io/en/latest/docker_compose.html)

orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:1.4.0
environment:
- ORDERER_HOME=/tmp/hyperledger/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/org0/orderer/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
networks:
- fabric-ca

Expose Postgres database connection configuration properties including max connection lifetime

Configuring the max lifetime for the Postgres database connection type, and likely all others, like maxLifetime in HikariCP would allow for regular connection cycling on a configured lifetime duration. I believe the default is "0" in the database/sql library, or infinite lifetimes.

PQ says it "Handles bad connections for database/sql" and line 727 func TestCloseBadConn seems to indicate PQ will recover from bad connections, that seem to last for an infinite timeframe, though I have seen in production stale connection pools not recycle stale connections. If we have access to the underlying configuration properties then we can manually configure the connection lifecycle.

The configuration properties I have in mind are as indicated in this article:

db.SetMaxOpenConns(25)
db.SetMaxIdleConns(25)
db.SetConnMaxLifetime(5*time.Minute)

fabric-ca package binary is not available in release 1.5.0

What is the issue?

It seems like fabric-ca packages for linux and windows are missing in release v1.5.0

What is causing issue?

While setting fabric network using the command curl -sSL https://bit.ly/2ysbOFE | bash -s is trying to install fabric-ca package 1.5.0 for linux and since it is not available script is throwing error

==> Cloning hyperledger/fabric-samples repo
Cloning into 'fabric-samples'...
remote: Enumerating objects: 7688, done.
remote: Total 7688 (delta 0), reused 0 (delta 0), pack-reused 7688
Receiving objects: 100% (7688/7688), 4.50 MiB | 18.43 MiB/s, done.
Resolving deltas: 100% (4020/4020), done.
fabric-samples v2.3.2 does not exist, defaulting main

Pull Hyperledger Fabric binaries

===> Downloading version 2.3.2 platform specific fabric binaries
===> Downloading:  https://github.com/hyperledger/fabric/releases/download/v2.3.2/hyperledger-fabric-linux-amd64-2.3.2.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   649  100   649    0     0   3294      0 --:--:-- --:--:-- --:--:--  3294
100 73.5M  100 73.5M    0     0  33.1M      0  0:00:02  0:00:02 --:--:-- 40.3M
==> Done.
===> Downloading version 1.5.0 platform specific fabric-ca-client binary
===> Downloading:  https://github.com/hyperledger/fabric-ca/releases/download/v1.5.0/hyperledger-fabric-ca-linux-amd64-1.5.0.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     9  100     9    0     0     47      0 --:--:-- --:--:-- --:--:--    47

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
==> There was an error downloading the binary file.

------> 1.5.0 fabric-ca-client binary is not available to download  (Available from 1.1.0-rc1) <----

Platform

Ubuntu Linux

How long you were experience this ?

It was working two days ago but since this morning it is suddenly stopped working. It seems the new release 1.5.1 which released on August 16 may have something to do with this

difference between v1.5.0 and v1.5.1

First image is 1.5.0 and second image is 1.5.1

Fix docs-only vulnerability for Jinja2

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22195 says "Jinja2" is where the vulnerability lies. It can be found in https://github.com/hyperledger/fabric-ca/blob/main/docs/requirements.txt#L17, which is the list of required libraries for building Hyperledger Fabric CA documentation.

This is a vulnerability, but a very low priority vulnerability because it's just documentation.

Hyperledger's BCCSP is failing to initialize with our PKCS11 package.

We're trying to use Fortanix PKCS11 library with hyperledger.
Here is some information about the pkcs11 tool :
Cryptoki version 3.0
Manufacturer Fortanix
Library Fortanix Data Security Manager PKCS11 Library (ver 0.3)
Using slot 0 with a present token (0x1)

The hyper ledger's BCCSP is failing to initialize with Fortanix PKCS11 (Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: instantiation failed for /etc/hyperledger/fabric/fortanix_pkcs11_4.8.2070.so)
We have modified the base image to centos, and the pkcs11 tool works with our library as well.

We have made the following changes to the fabric-ca-server-config.yaml file:
bccsp:
default: PKCS11
pkcs11:
Library: /home/ccm-user/fortanix_pkcs11/fortanix_pkcs11_4.2.1500.so
Pin: file:///home/ccm-user/fortanix_pkcs11/pkcs11.conf
label: "Fortanix Token"
hash: SHA2
security: 256

And the config file contains :

api_endpoint = "https://sdkms.fortanix.com"
api_key="xxxxxx"
app_id="xxxxxxx"
[log]
system = true # Unix only, logs to syslog

Is there any other changes that need to be done in the BCCSP section to integrate our library with the hyperledger fabric?

Invalid token format; expecting 2 parts separated by

/api/v1/certificates?id=&aki=&serial=&revoked_start=&revoked_end=&expired_start=&expired_end=&notexpired=&notrevoked=&ca= 401 25 "Invalid token in authorization header: Invalid token format; expecting 2 parts separated by '.'"

S3 or DB support

Hello,

Is there any possibility to store (and retrieve) cert files on S3 or DB instead of traditional filesystem basis?

this filesystem mechanism is neither safe and scalable.

Vulnerable dependencies in CA documentation

NB: Please note that this issue is in progress and will be updated.

I have decided to amalgamate these all into one list to make things easier for the Hyperledger Fabric team. @denyeart explained that JARs/dependencies with known vulnerabilities are OK to report via GitHub issue. So here we go.

Name	Found in Code	CVEs	Due Date	Status
Babel-2.3.4-py2.py3-none-any.whl	https://github.com/hyperledger/fabric-ca/blob/main/docs/requirements.txt#L9	https://nvd.nist.gov/vuln/detail/CVE-2021-42771	Aug 21, 2023	#367 merged. ✅
Pygments-2.1.3-py2.py3-none-any.whl	https://github.com/hyperledger/fabric-ca/blob/main/docs/requirements.txt#L14	https://nvd.nist.gov/vuln/detail/CVE-2021-27291, https://nvd.nist.gov/vuln/detail/CVE-2021-20270	Aug 21, 2023	#367 merged. ✅

Issue with re-enrolling certificates

Background. Customer is running code to test registering/enrolling operations on a daily basis. Failures began occurring after re-enrollments and could only be corrected by restarting the CA.

Log snippet from the CA:

2022-06-22T05:00:05.813188931Z 2022/06/22 05:00:05 [INFO] signed certificate with serial number 227295963368738719576295504100228910397990236259
2022-06-22T05:00:05.856018279Z 2022/06/22 05:00:05 [INFO] 172.30.14.166:60118 POST /api/v1/reenroll 201 0 "OK"
2022-06-22T05:00:06.047488264Z 2022/06/22 05:00:06 [INFO] signed certificate with serial number 443761956686633821028606532772396696503568673733
2022-06-22T05:00:06.099787377Z 2022/06/22 05:00:06 [INFO] 172.30.14.166:60120 POST /api/v1/reenroll 201 0 "OK"
2022-06-22T05:00:06.192780584Z 2022/06/22 05:00:06 [INFO] 172.30.16.22:49800 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2021-06-28T12:58:30Z is before 2021-11-18T08:08:00Z"
2022-06-22T05:23:28.755945128Z 2022/06/22 05:23:28 [INFO] 172.30.16.22:47926 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2021-06-28T12:58:30Z is before 2021-11-18T08:08:00Z"

Note in the log that when attempting to register a user, it fails with an error indicating that the current time is in the past.

This is related to the recent change to add "reenrollignorecertexpiry" to the configuration.

In fabric-ca/lib/serverrequestcontext.go:

reenrollIgnoreCertExpiry := ctx.endpoint.Path == "reenroll" && ctx.ca.Config.CA.ReenrollIgnoreCertExpiry

// Make sure the caller's cert was issued by this CA
err2 = ca.VerifyCertificate(cert, reenrollIgnoreCertExpiry)
if err2 != nil {
	return "", caerrors.NewAuthenticationErr(caerrors.ErrUntrustedCertificate, "Untrusted certificate: %s", err2)
}

The reenrollIgnoreCertExpiry is set only for "reenroll".

In fabric-ca/lib/ca.go:

func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
	log.Debugf("Certicate Dates: NotAfter = %s NotBefore = %s \n", cert.NotAfter.String(), cert.NotBefore.String())

	opts, err := ca.getVerifyOptions()
	if err != nil {
		return errors.WithMessage(err, "Failed to get verify options")
	}

	// force check time to be 30 seconds after certificate start time to ensure expiry doesn't get flagged
	// this is one of the checks that is made on the certificate in Verify()
	if forceTime {
		opts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
	}

The opts.CurrentTime is reset to an offset time, but only for re-enrollments.

The getVerifyOptions returns the current options is they already exist.

func (ca *CA) getVerifyOptions() (*x509.VerifyOptions, error) {
	if ca.verifyOptions != nil {
		return ca.verifyOptions, nil
	}

The problem is there is nothing that resets the opts.CurrentTime.

Possible error on YAML file

I think is an error on configtx.yaml file At AnchorPeers should be - Port: 7051 instead of Port: 7051

- &org1

   Name: org1

   ID: org1MSP

   MSPDir: /tmp/hyperledger/org1/msp

   AnchorPeers:
      - Host: peer1-org1
         Port: 7051

- &org1

   Name: org1

   ID: org1MSP

   MSPDir: /tmp/hyperledger/org1/msp

   AnchorPeers:
      - Host: peer1-org1
      - Port: 7051

Unable to get Fabric Network with TLS Chain of Trust of multiple Fabric CA Servers working!

Hi everybody ;)

I'm stuck! Lately I'm trying to get a Hyperledger Fabric Network with multiple Fabric-CA's building a Chain Of Trust running. I read the Docs, checked out multiple Blog Posts about this topic, tried out various of different kinds of approaches... But I just can't get my Network up and running!

The relevant part of the network looks something like this

The startup of the whole CA-Hierarchy is already working. And without the ca-root and ca-intermediate though, I managed to get it all running without any problems.

The error most probably lies in the Overall Generation of the TLS-Certificates or the Usage of them in the peers & orderers.
The error that I can't get rid off happens in all peers & orderers when starting them:

peer1

/etc/hyperledger/fabric/core.yaml: OK
patching file /etc/hyperledger/fabric/core.yaml
patch unexpectedly ends in middle of line
Hunk #1 succeeded at 546 with fuzz 1.
Running: peer node start
2021-11-17 14:28:33.081 CET [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/crypto/peer/msp: the supplied identity is not valid: x509: certificate signed by unknown authority

orderer1

2021-11-17 14:33:27.672 CET [orderer.common.server] loadLocalMSP -> PANI 004 Failed to setup local msp with config: the supplied identity is not valid: x509: certificate signed by unknown authority
panic: Failed to setup local msp with config: the supplied identity is not valid: x509: certificate signed by unknown authority

Files

The project in the state described above with all the files (including Startup-Script, Config-Files, generated certificates in their MSP Structure) are to be inspected in the following repository:

Fabric Network Project

When you want the project to run in your kubernetes namespace, you have to delete the /artifacts/crypto-config folder and then run the ./start.sh script.

I would be very pleased if someone could tell me what I have to change in my Script and Configs to get this thing working!

Permission issue when running docker container with non-root user

Summary

fs permission issue in docker container when attempting to run with a non-root user

Steps to reproduce

docker run -d --user 1000:1000 hyperledger/fabric-ca:1.5.0

Enviroment

os: ubuntu 20.04
docker version: 20.10.5
image version: hyperledger/fabric-ca:1.5.0

Expected behavior

functional fabric-ca container with port 7054 exposed

Resulted behavior

container exited with following error: Error: Failed to create default configuration file: mkdir /etc/hyperledger: permission denied

Possible cause

due to how the image is built, directory/files required to run fabric-ca-server are owned by root

Clarification about TLS certificates to use configuring CAs

Hi,
I would like to ask for clarification about the following.
I deployed a TLS CA, an Organization CA, and an Intermediate CA, each one in different machines.
When creating the TLS root certificate, initially I set the --csr.hosts to the TLS CA hostname in the enroll command for the Organization CA and intermediate CA admin users. Then, following the guide, when configuring the Organization CA, I used the root TLS CA certificate in --tls.certfiles when enrolling the admin into the Organization CA and the ORganization CA hostname csr.hosts in the enroll command.
That, as probably expected, ended in an error like:

 x509: certificate is valid for tls_ca, not org_ca

There are two ways of solving that error.

If we strictly following the tutorial, to fix that error, I would need to add the Organization CA hostname (apart from the TLS CA hostname) when enrolling the Organization admin user into the TLS CA to the csr.hosts list. I guess that's the way to fix it following the tutorial because it forces you to use the TLS CA root certificate when enrolling the Organization admin user into the Organization CA. So, basically, the TLS root CA cert will have been generated for the Organization CA host apart from the TLS CA host. Nevertheless, when generating that certificate, the docs say to add only the TLS CA host.
The second way is to use only the TLS CA host for the TLS CA root cert (in csr.hosts), and when enrolling the Organization admin into the TLS CA, use as csr.hosts the Organization CA hostname. That way, when enrolling in the Organization CA the admin user, you can use its TLS certificate (the one generated for the Organization CA and copied from the TLS CA to the Organization CA machine) instead of the TLS CA root certificate (the docs says to use the TLS CA root cert) as --tls.certfiles, and its hostname (the Organization CA hostname) in the csr.hosts parameter.

I tested both approaches, and both worked. Could you please clarify which one should be used?

Thank you very much.

How fabric-ca can run on macos

I am trying to run fabric-ca on MacOS intel. I download zip code and open it in vscode. but there is nothing where to start. How can I start this project? There is no docker-compose file also.

Fabric CA still relies on Fabric v1.4 source code

Can we please remove this dependency from the Fabric CA code in the later/latest releases:

https://github.com/hyperledger/fabric-ca/blob/main/go.mod#L17

Fabric v1.4 is deprecated.

Tls certificate expired

I got a issue that is my tls cert is expired . so I upgradet the CA to 1.5.7 also does not work by using following commnad to upgrade the cert fabric-ca-client reenroll --mspdir "/etc/hyperledger/fabric-ca-server/msp/" --tls.certfiles "/etc/hyperledger/fabric-ca-server/tls-cert.pem" --csr.keyrequest.reusekey
2023/12/04 12:39:28 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2023/12/04 12:39:28 [INFO] TLS Enabled
2023/12/04 12:39:29 [INFO] TLS Enabled
2023/12/04 12:39:29 [INFO] encoded CSR
Error: Failed to reenroll 'fabric_admin': POST failure of request: POST https://emsd-ca-service:7054/reenroll
{"hosts":["start-emsd-ca-client-mlmw7"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBVjCB/gIBADBkMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxFTATBgNV\nBAMMDGZhYnJpY19hZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL4K56Ly\nEdz5piVDdiAjnnT84SUTXbnrqVFl0RNgX8dJCY2OnlruAhOBL3uKLpzeX/CPDRdf\nZsUmsoFeIetlNxSgODA2BgkqhkiG9w0BCQ4xKTAnMCUGA1UdEQQeMByCGnN0YXJ0\nLWVtc2QtY2EtY2xpZW50LW1sbXc3MAoGCCqGSM49BAMCA0cAMEQCIGzZVLUZg7D8\ne2jCJkrui5Sp08zgQHaSWG6r8yNp+RQ1AiAX8uQP4hRP9c198sjTWCkjVLUNVOS1\nXVsa3xFTHbOZIA==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://emsd-ca-service:7054/reenroll": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-12-04T12:39:29+08:00 is after 2023-11-29T09:09:00Z ---

Incorrect password entered 10 times, max incorrect password limit of 10 reached

When using LDAP to provide the certificates, users are always set to type "client"

I have recently been trying to configure a connection between the LDAP server that we use for storing user credentials and the fabric-ca server. In our configuration, we are using NodeOUs to determine user permissions - when not using LDAP, and registering with the ca directly, we set this using the -type flag set to one of admin, peer, client or orderer. However, it seems that when using LDAP configuration, the user is always set to a default of type client, which cannot be changed through any LDAP attributes or API calls.

This makes the LDAP configuration with the ca unusable if you want to have any sort of policies set up requiring type admin/peer/orderer, as the certificate always identifies it as type client. Here is a link to a stackoverflow post where they had the same issue, for added context on the issue - https://stackoverflow.com/questions/63834220/set-admin-role-for-an-ldap-user-in-hyperledger-fabric-ca.

I'm pretty sure that this can easily be fixed by just editing the file fabric-ca/lib/server/ldap/client.go, specifically the getType function on line 342 - just adding an attribute lookup in LDAP for an attribute Type or something similar, and then if that value exists return it, otherwise still defaulting to client.

If there is a way to set the type of a user when getting the details from LDAP, please let me know!

fabric-ca-server and AWS CloudHSM: TLS cert issues?

Hello,

I'm trying to setup a fabric-ca-server with AWS CloudHSM:

I use the library cloudhsm-pkcs11 v5.2.1-2 on ubuntu 18.04 (there are no more recent ubuntu versions supported by AWS cloudHSM at this time)

I configured a couple of HSM servers in an HSM cluster and added a "fabric" CU (Crypto User) with the aws HSM cli:

$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
aws-cloudhsm>loginHSM CO admin password
aws-cloudhsm>createUser CU fabric 12345678

I configured both fabric-ca-server-config.yaml and fabric-ca-client-config.yaml with:

bccsp:
  default: PKCS11
  pkcs11:
      Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
      Pin: 'fabric:12345678'
      AltId: FABRIC
      # it seems that the label must be the name of the HSM cluster in AWS:
      Label: cluster-dzetr75hznp
      hash: SHA2
      security: 256

I init the CA server (the MSP key is successfully stored in the HSM):

$ fabric-ca-server init -b admin:adminpw
2021/10/07 02:46:58 [INFO] Configuration file location: /opt/hsmtest/ca.hsm/rootca/fabric-ca-server-config.yaml
2021/10/07 02:46:59 [INFO] Server Version: 1.5.2
2021/10/07 02:46:59 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/10/07 02:46:59 [WARNING] &{69 The specified CA certificate file /opt/hsmtest/ca.hsm/rootca/ca-cert.pem does not exist}
2021/10/07 02:46:59 [INFO] generating key: &{A:ecdsa S:256}
2021/10/07 02:46:59 [INFO] encoded CSR
2021/10/07 02:46:59 [INFO] signed certificate with serial number 457077676613156083610706603201870637828122354856
2021/10/07 02:46:59 [INFO] The CA key and certificate were generated for CA rootca
2021/10/07 02:46:59 [INFO] The key was stored by BCCSP provider 'PKCS11'
2021/10/07 02:46:59 [INFO] The certificate is at: /opt/hsmtest/ca.hsm/rootca/ca-cert.pem
2021/10/07 02:46:59 [INFO] Initialized sqlite3 database at /opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db
2021/10/07 02:46:59 [INFO] The issuer key was successfully stored. The public key is at: /opt/hsmtest/ca.hsm/rootca/IssuerPublicKey, secret key is at: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerSecretKey
2021/10/07 02:46:59 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'rootca'
2021/10/07 02:46:59 [INFO] The revocation key was successfully stored. The public key is at: /opt/hsmtest/ca.hsm/rootca/IssuerRevocationPublicKey, private key is at: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerRevocationPrivateKey
2021/10/07 02:46:59 [INFO] Home directory for default CA: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:46:59 [INFO] Initialization was successful

But then when I start the server, the TLS self-signed cert generation fails:

$ /etc/hyperledger/fabric-ca-client# fabric-ca-server start -d
2021/10/07 02:52:10 [DEBUG] Home directory: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [INFO] Configuration file location: /opt/hsmtest/ca.hsm/rootca/fabric-ca-server-config.yaml
2021/10/07 02:52:10 [INFO] Starting server in home directory: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] Set log level: 
2021/10/07 02:52:10 [INFO] Server Version: 1.5.2
2021/10/07 02:52:10 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/10/07 02:52:10 [DEBUG] Making server filenames absolute
2021/10/07 02:52:10 [DEBUG] Initializing default CA in directory /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] CA Home Directory: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] Checking configuration file version '1.4.7' against server version: '1.5.2'
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000394150 PluginOpts:<nil> Pkcs11Opts:0xc000143000}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 FileKeystore:0xc00016ccd0 DummyKeystore:<nil> InmemKeystore:<nil>}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:<nil> DummyKeystore:<nil> Library:/opt/cloudhsm/lib/libcloudhsm_pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:FABRIC}
2021/10/07 02:52:10 [DEBUG] Initialize key material
2021/10/07 02:52:10 [DEBUG] Making CA filenames absolute
2021/10/07 02:52:10 [INFO] The CA key and certificate already exist
2021/10/07 02:52:10 [INFO] The key is stored by BCCSP provider 'PKCS11'
2021/10/07 02:52:10 [INFO] The certificate is at: /opt/hsmtest/ca.hsm/rootca/ca-cert.pem
2021/10/07 02:52:10 [DEBUG] Loading CN from existing enrollment information
2021/10/07 02:52:10 [DEBUG] Initializing DB
2021/10/07 02:52:10 [DEBUG] Initializing 'sqlite3' database at '/opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db'
2021/10/07 02:52:10 [DEBUG] Using sqlite database, connect to database in home (/opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db) directory
2021/10/07 02:52:10 [DEBUG] Creating SQLite database (/opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db) if it does not exist...
2021/10/07 02:52:10 [DEBUG] Creating users table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating affiliations table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating certificates table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating credentials table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating revocation_authority_info table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating nonces table if it does not exist
2021/10/07 02:52:10 [DEBUG] Creating properties table if it does not exist
2021/10/07 02:52:10 [DEBUG] Successfully opened sqlite3 DB
2021/10/07 02:52:10 [DEBUG] Initializing identity registry
2021/10/07 02:52:10 [DEBUG] Initialized DB identity registry
2021/10/07 02:52:10 [DEBUG] Checking database levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}' against server levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}'
2021/10/07 02:52:10 [DEBUG] Loading identity table
2021/10/07 02:52:10 [DEBUG] Loading identity 'admin_ca'
2021/10/07 02:52:10 [DEBUG] DB: Getting identity admin_ca
2021/10/07 02:52:10 [DEBUG] Identity 'admin_ca' already registered, loaded identity
2021/10/07 02:52:10 [DEBUG] Successfully loaded identity table
2021/10/07 02:52:10 [DEBUG] Loading affiliations table
2021/10/07 02:52:10 [DEBUG] Successfully loaded affiliations table
2021/10/07 02:52:10 [INFO] Initialized sqlite3 database at /opt/hsmtest/ca.hsm/rootca/fabric-ca-server.db
2021/10/07 02:52:10 [DEBUG] Initializing enrollment signer
2021/10/07 02:52:10 [DEBUG] validating configuration
2021/10/07 02:52:10 [DEBUG] validate local profile
2021/10/07 02:52:10 [DEBUG] profile is valid
2021/10/07 02:52:10 [DEBUG] validate local profile
2021/10/07 02:52:10 [DEBUG] profile is valid
2021/10/07 02:52:10 [DEBUG] validate local profile
2021/10/07 02:52:10 [DEBUG] profile is valid
2021/10/07 02:52:10 [DEBUG] CA initialization successful
2021/10/07 02:52:10 [DEBUG] Initializing Idemix issuer...
2021/10/07 02:52:10 [INFO] The Idemix issuer public and secret key files already exist
2021/10/07 02:52:10 [INFO]    secret key file location: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerSecretKey
2021/10/07 02:52:10 [INFO]    public key file location: /opt/hsmtest/ca.hsm/rootca/IssuerPublicKey
2021/10/07 02:52:10 [DEBUG] Intializing revocation authority for issuer 'rootca'
2021/10/07 02:52:10 [DEBUG] Initialize Idemix issuer revocation key material
2021/10/07 02:52:10 [INFO] The Idemix issuer revocation public and secret key files already exist
2021/10/07 02:52:10 [INFO]    private key file location: /opt/hsmtest/ca.hsm/rootca/msp/keystore/IssuerRevocationPrivateKey
2021/10/07 02:52:10 [INFO]    public key file location: /opt/hsmtest/ca.hsm/rootca/IssuerRevocationPublicKey
2021/10/07 02:52:10 [DEBUG] Intializing nonce manager for issuer 'rootca'
2021/10/07 02:52:10 [INFO] Home directory for default CA: /opt/hsmtest/ca.hsm/rootca
2021/10/07 02:52:10 [DEBUG] 1 CA instance(s) running on server
2021/10/07 02:52:10 [INFO] Operation Server Listening on 127.0.0.1:9443
2021/10/07 02:52:10 [DEBUG] TLS is enabled
2021/10/07 02:52:10 [DEBUG] TLS enabled but either certificate or key file does not exist, automatically generating TLS credentials
2021/10/07 02:52:10 [DEBUG] TLS CSR: {<PRIVATE STUFF>}
2021/10/07 02:52:10 [DEBUG] GenCSR &{<PRIVATE STUFF>}
2021/10/07 02:52:10 [DEBUG] Initializing client with config: &{URL: MSPDir: TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:  } CSR:{CN: Names:[] Hosts:[] KeyRequest:<nil> CA:<nil> SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc000147fb0 Debug:false LogLevel:}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000394150 PluginOpts:<nil> Pkcs11Opts:0xc000143000}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 FileKeystore:0xc00016ccd0 DummyKeystore:<nil> InmemKeystore:<nil>}
2021/10/07 02:52:10 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:<nil> DummyKeystore:<nil> Library:/opt/cloudhsm/lib/libcloudhsm_pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:FABRIC}
2021/10/07 02:52:10 [INFO] generating key: &{A:ecdsa S:256}
2021/10/07 02:52:10 [DEBUG] generate key from request: algo=ecdsa, size=256
2021/10/07 02:52:10 [DEBUG] failed generating BCCSP key: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]
2021/10/07 02:52:10 [DEBUG] Closing server DBs
Error: Failed to automatically generate TLS certificate and key: Failed to generate CSR: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]

Here is the corresponding cloudhsm log:

2021-10-07T02:52:10.204+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::connection_pool] Adding HSM connection to connection pool: HsmConnection { hsm_info: HSM { IP: "10.4.1.189", Port: 2223 } }
2021-10-07T02:52:10.209+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_connection::common] Initializing new connection: HSM { IP: "10.4.1.189", Port: 2223 }
2021-10-07T02:52:10.260+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_properties] Version handshake with server succeeded. Received version: ComponentVersion { major: 2, minor: 3 }
2021-10-07T02:52:10.260+02:00 INFO  [179] ThreadId(5) [hsm1_marshaling::server_handshake] Reporting sdk version Pkcs11:5.2-1-bionic:CodeBuildBatchProject-uFu5sNXfquqK:ed9a3dbd-7172-439f-8ee3-79408d4e3f39
2021-10-07T02:52:10.304+02:00 WARN  [179] ThreadId(3) [cloudhsm_provider::hsm1::hsm_connection::dispatcher_strategy] UX000: Discarding HSM response because it does not match a pending request.
2021-10-07T02:52:10.352+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::connection_pool] Adding HSM connection to connection pool: HsmConnection { hsm_info: HSM { IP: "10.4.1.236", Port: 2223 } }
2021-10-07T02:52:10.355+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_connection::common] Initializing new connection: HSM { IP: "10.4.1.236", Port: 2223 }
2021-10-07T02:52:10.401+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::hsm_connection::server_properties] Version handshake with server succeeded. Received version: ComponentVersion { major: 2, minor: 3 }
2021-10-07T02:52:10.401+02:00 INFO  [179] ThreadId(5) [hsm1_marshaling::server_handshake] Reporting sdk version Pkcs11:5.2-1-bionic:CodeBuildBatchProject-uFu5sNXfquqK:ed9a3dbd-7172-439f-8ee3-79408d4e3f39
2021-10-07T02:52:10.444+02:00 WARN  [179] ThreadId(1) [cloudhsm_provider::hsm1::hsm_connection::dispatcher_strategy] UX000: Discarding HSM response because it does not match a pending request.
2021-10-07T02:52:10.492+02:00 INFO  [179] ThreadId(3) [cloudhsm_provider::hsm1::connection::connection_pool::cluster_info_message] Cluster version 150321984 is up to date. Ignoring cluster version received: 150321671.
2021-10-07T02:52:10.492+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::device] Retrieving HSM information.
2021-10-07T02:52:10.513+02:00 INFO  [179] ThreadId(5) [cloudhsm_provider::hsm1::connection::session_creation] Successfully created session with id: ProviderSessionId { inner: 1 }
2021-10-07T02:52:10.560+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::general::C_Initialize] BP000: Library is already initialized.
2021-10-07T02:52:10.560+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::general::C_Initialize] C_Initialize failed, returning 0x00000191
2021-10-07T02:52:10.560+02:00 INFO  [179] ThreadId(6) [cloudhsm_provider::hsm1::connection::device] Retrieving HSM information.
2021-10-07T02:52:10.581+02:00 INFO  [179] ThreadId(6) [cloudhsm_provider::hsm1::connection::session_creation] Successfully created session with id: ProviderSessionId { inner: 2 }
2021-10-07T02:52:10.582+02:00 ERROR [179] ThreadId(6) [cloudhsm_provider::hsm1::session::authentication] Failed to login to HSM. 2 connections failed, out of 2. Returning first error from HSM { IP: "10.4.1.236", Port: 2223 }, AlreadyLoggedIn.
2021-10-07T02:52:10.582+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::session::C_Login] Error: User is already logged in
2021-10-07T02:52:10.582+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::session::C_Login] C_Login failed, returning 0x00000100
2021-10-07T02:52:10.587+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::keymgmt::C_GenerateKeyPair::error] Attribute Value for (Unknown) is invalid
2021-10-07T02:52:10.587+02:00 ERROR [179] ThreadId(6) [cloudhsm_pkcs11::keymgmt::C_GenerateKeyPair] C_GenerateKeyPair failed, returning 0x00000013

I had no problem with the TLS cert generation with the softhsm driver, so maybe the problem with AWS is the AltId setting which is the same here for the generated MSP CA cert and the TLS cert? Also I don't really know what to make of the "Error: User is already logged in" in the cloudhsm log...

Peer certificate expired

I am facing an issue while trying to install a new chaincode in my peer:

Server TLS handshake failed with error: tls: bad certificate server=PeerServer

My peer is running a TLSCA and a CA-Server and,
Peer version: 2.4.4
fabric-ca: latest
TLSCA: 1.5.0

I am getting the above error from organizations/peerOrganizations/organization.com/users/[email protected]/msp

I have also checked the signcerts/cert.pem and found that it has actually expired. Also the cert.pem in signcerts of the peer has also expired.

Is there any document which I can follow for renewing the certificates for my peer?

Fix expired testdata certificate

Path: testdata/tls_server-cert.pem

It seems this problem happened last year and was "fixed" by this commit.

Regiter and enroll all Hypereledger Fabric users and peers on LdapServer

I successfully connected my Hyperledger Fabric network to an OpenLdap server running on a docker container, and I have enrolled all users, admins, and peers.

Also I created the genesis block, channel transaction and AnchorPeersUpdate.

But when I try to create my channel I get the following error :

Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'supply-channel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

I know this error occurs when there is a problem with the identity (including MSP ID, certificate and keys) that submitted the request.

So my questions are :

what is the best way to connect my Hyperledger Fabric network to my LDAP server in order to register all users, administrators, peers with correct identities?
How to convert identity attributes registered on LDAP server to fabric-ca identity attributes?

Failure to clone repository on Windows based filesystems

When attempting to clone or fetch the current repository at commit 8894989
the following files fail to download due to ":" being in the filename which is illegal on Windows based filesystems:

vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA.crt
vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA_2.crt

hyperledger / fabric-ca Goto Github PK

fabric-ca's Introduction

Fabric CA Developer's Guide

Prerequisites

Contribution guidelines

Package overview

Additional info

FVT

Updating the cfssl vendored package

License

fabric-ca's People

Contributors

Stargazers

Watchers

Forkers

fabric-ca's Issues

What is the issue?

What is causing issue?

Platform

How long you were experience this ?

difference between v1.5.0 and v1.5.1

peer1

orderer1

Files

Summary

Steps to reproduce

Enviroment

Expected behavior

Resulted behavior

Possible cause

Recommend Projects

Recommend Topics

Recommend Org