tittuvarghese
commented
6 years ago @antitoine How can I fix the certificate issue? Is there any way to renew those certificates without moving to the new version?
Closed tarasom closed 6 years ago
tittuvarghese
commented
6 years ago @antitoine How can I fix the certificate issue? Is there any way to renew those certificates without moving to the new version?
antitoine
commented
6 years ago You can generate a new crypto-config and artefacts files by following the tutorial provide by the Fabric Documentation: https://hyperledger-fabric.readthedocs.io/en/release/build_network.html
This is the expiration date of each certificates:
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/msp/admincerts/Admin@org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/msp/cacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/msp/cacerts/org1.example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/msp/cacerts/org2.example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/msp/tlscacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/msp/signcerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/admincerts/Admin@org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/cacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tlscacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/signcerts/peer0.org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/ca/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/admincerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/cacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/signcerts/Admin@org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/users/User1@org1.example.com/admincerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/users/User1@org1.example.com/cacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org1.example.com/users/User1@org1.example.com/signcerts/User1@org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/msp/admincerts/Admin@org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/msp/cacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/msp/signcerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/admincerts/Admin@org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/cacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tlscacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/signcerts/peer0.org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/ca/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/tlscacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/admincerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/cacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/signcerts/Admin@org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/users/User1@org2.example.com/admincerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/users/User1@org2.example.com/cacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/peerOrganizations/org2.example.com/users/User1@org2.example.com/signcerts/User1@org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/admincerts/Admin@example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/cacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/cacerts/example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/cacerts/org1.example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/cacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/cacerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/cacerts/org2.example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/org1.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/org1.example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/org2.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/tlscacerts/org2.example.com-tls-cert.pem
Not After : Feb 20 19:06:10 2018 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/msp/signcerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/admincerts/Admin@example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/cacerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tlscacerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/signcerts/orderer.example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/ca/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/admincerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/cacerts/example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/channel/crypto-config/ordererOrganizations/example.com/users/Admin@example.com/signcerts/Admin@example.com-cert.pem
Not After : Apr 20 12:02:56 2027 GMT
./fixtures/tls_client-cert.pem
Not After : Dec 15 15:01:00 2017 GMT
./fixtures/tls/fabricca/server/server_localhost.pem
Not After : Jun 14 16:12:00 2018 GMT
./fixtures/tls/fabricca/client/client_client1.pem
Not After : Jun 14 16:12:00 2018 GMT
./fixtures/tls/fabricca/ca/ca_root.pem
Not After : Jun 7 16:12:00 2047 GMT
./fixtures/root.pem
Not After : Oct 11 19:31:00 2021 GMT
./fixtures/fabricca/ecert.pem
Not After : Nov 27 12:24:00 2017 GMTYou can get this output with: find -type f | grep '\.pem' | xargs -I {} sh -c 'echo {}; openssl x509 -in {} -text | grep "Not After"'
So today, the following certificates are no longer valid:
tittuvarghese
commented
6 years ago Thanks, @antitoine for the help.
I have generated the certificates but still, I'm getting one error. Unable to initialize the Fabric SDK: CreateAndJoinChannel return error: Error querying channels for primary peer: QueryByChaincode return error: Error calling endorser 'localhost:7051': x509: certificate signed by unknown authority
Using the newly generated Certificates for orderer and peer, and for the localhost using the existing one provided in this tutorial.
Following is the log from ca_peerOrg1
2018/02/26 11:07:51 [DEBUG] TLS is enabled 2018/02/26 11:07:51 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[155 240 132 160 167 70 176 178 141 10 9 250 200 65 153 120 89 138 69 182 231 109 129 21 14 220 19 171 169 156 194 47]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:424 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:124 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2018/02/26 11:07:51 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/tls/server_localhost.pem and keyfile /etc/hyperledger/fabric-ca-server-config/tls/server_localhost-key.pem 2018/02/26 11:07:51 [DEBUG] Client authentication type requested: noclientcert
antitoine
commented
6 years ago I encourage you to use the new version of the tutorial that uses a real version of Fabric (not a RC). This has just been merged into master (#4). But, if someone finds a solution to generate new certificates for version 1.0.0.0-rc1, I'm interested.
Hi, thanks for the information. We are currently working on updating the tutorial. We are not far from having finished, there are still a few paragraphs missing. You can start using it now, everything is on the newVersion branch: https://github.com/chainHero/heroes-service/tree/newVersion