search

aws-samples / non-profit-blockchain

Builds a blockchain network and application to track donations to non-profit organizations, using Amazon Managed Blockchain
Apache License 2.0
373 stars 288 forks source link

Error: x509: certificate signed by unknown authority #122

Open joesoh opened 3 years ago

joesoh commented 3 years ago

When running, enroll command fabric-ca-client enroll -u https://$ADMINUSER:$ADMINPWD@$CASERVICEENDPOINT --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp

I got this certificate signed by an unknown authority. Does anyone encounter this before? Error: POST failure of request: POST https://ca.m-mncy4qiyg5hdrfqo4bccrbqjeu.n-xa5l3pcnu5c6hmnk6e24dzoijq.managedblockchain.ap-southeast-1.amazonaws.com:30002/enroll {​​​​"hosts":["ip-10-0-40-173"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRDCB6wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4S1gl2Yy1JNPhb5K\n40l76l7oL/yp009IVrVg7C6d1udQNBDdhrxFBQp6Hddp2buLIbltbHH7q9PWZRvr\n5Ij20aAsMCoGCSqGSIb3DQEJDjEdMBswGQYDVR0RBBIwEIIOaXAtMTAtMC00MC0x\nNzMwCgYIKoZIzj0EAwIDSAAwRQIhAOR2fAYtMyHO4AopxOTpXYT1EN2K5mRqOYgl\nyoxXERFMAiA4guhgHfz4NdntNrlje24LMrCaYH5u8E2uI3Vc/yXjWQ==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}​​​​: Post https://ca.m-mncy4qiyg5hdrfqo4bccrbqjeu.n-xa5l3pcnu5c6hmnk6e24dzoijq.managedblockchain.ap-southeast-1.amazonaws.com:30002/enroll: x509: certificate signed by unknown authority

awattez commented 3 years ago

same here

awattez commented 3 years ago

I found the solution, the x509: certificate signed by unknown authority is indeed an error related to the TLS certificate.

When I look at your call URL to the CA https: //ca.m-mncy4qiyg5hdrfqo4bccrbqjeu.n-xa5l3pcnu5c6hmnk6e24dzoijq.managedblockchain.ap-southeast-1.amazonaws.com: 30002, we see that your managed blockchain is in the managed blockchain region ap-southeast-1 or each region has its own TLS certificate.

it is therefore necessary not to recover the last pem file from us-east-1 but from ap-southeast-1. In the part https://github.com/aws-samples/non-profit-blockchain/tree/master/ngo-fabric#part1-build-a-hyperledger-fabric-blockchain-network-using-amazon-managed-blockchain it is necessary to replace the command:

aws s3 cp s3: //us-east-1.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2-user/managedblockchain-tls-chain.pem

by

aws s3 cp s3: //ap-southeast-1.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2-user/managedblockchain-tls-chain.pem

Ditto for other regions where we can deploy AWS Managed Blockchain Hyperledger