Certificate is valid for ingress.local, not test-network-org0-ca-ca.localho.st error on network up

[charalarg]

Is anyone else having this error message on ./network up? I am running a local cluster with rancher desktop and k3s.

This error comes up when enrolling org0 root CA admin rcaadmin: Debug logs:

2023/03/29 22:03:32 [INFO] Created a default configuration file at fabric-operator/sample-network/temp/enrollments/org0/users/rcaadmin/fabric-ca-client-config.yaml
2023/03/29 22:03:32 [INFO] TLS Enabled
2023/03/29 22:03:32 [INFO] generating key: &{A:ecdsa S:256}
2023/03/29 22:03:32 [INFO] encoded CSR
Error: POST failure of request: POST https://test-network-org0-ca-ca.localho.st:443/enroll
{"hosts":["cargyriou-ThinkPad-P14s"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBUDCB9wIBADBgMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxETAPBgNV\nBAMTCHJjYWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7p3KsryyxBHu\nPzbnZF+qlPD32jZ3Lf72Li1Iwbx69iMvhjHIpAWy8KJG9INmm5wzevUr0Wl92hXy\n8TASTvRDDKA1MDMGCSqGSIb3DQEJDjEmMCQwIgYDVR0RBBswGYIXY2FyZ3lyaW91\nLVRoaW5rUGFkLVAxNHMwCgYIKoZIzj0EAwIDSAAwRQIhALZ3qvBdoFlP48/FRrND\nHJGFqCKFPrDiyr/laQ9NltQwAiBZC3Uf4f6B8JUD1wdvnAzeNGdudcQ7q/t/7+wo\nQd4+pQ==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://test-network-org0-ca-ca.localho.st:443/enroll": x509: certificate is valid for ingress.local, not test-network-org0-ca-ca.localho.st

[jkneubuh]

Hi @charalarg

./network up is compatible with rancher desktop and k3s. However - the up targets will attempt to bind an Nginx ingress controller to ports 80 and 443.

What is happening above is that the CA client is trying to connect to the cluster ingress at port 443, and hitting the Traefik controller that has been installed with Rancher Desktop. Basically - you have two ingress systems running, both trying to bind to :80 and :443.

Quick fix for this is to disable the Traefik ingress in the Rancher Desktop settings. OR to change the ingress port bindings in the ./network script (I believe these can be set with environment variable overrides...).

Using the Nginx config that comes with the ./network up script is probably the easiest path forward. The other alternative would be to enable the ssl-passthrough mode for Traefik.

There are some notes on Rancher setup in the samples project at https://github.com/hyperledger/fabric-samples/blob/main/test-network-k8s/docs/KUBERNETES.md#rancher-desktop-and-k3s

[charalarg]

Hello @jkneubuh, Thank you for your response. The thing is that I followed the readme file step by step so I had already disabled Treafik on Rancher Desktop and also tried the whole procedure both with containerd and dockerd runtime. Unfortunately I had the same results.

[charalarg]

I managed to run the ingress successfully by disabling the other one occupying the ports but then i get another error.

writing org0-ca connection profile to fabric-operator/sample-network/temp/cas/org0-ca/connection-profile.json
2023/03/30 18:11:27 [INFO] TLS Enabled
2023/03/30 18:11:27 [INFO] generating key: &{A:ecdsa S:256}
2023/03/30 18:11:27 [INFO] encoded CSR
Error: POST failure of request: POST https://test-network-org0-ca-ca.localho.st:443/enroll
{"hosts":["cargyriou-ThinkPad-P14s"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBUDCB9wIBADBgMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxETAPBgNV\nBAMTCHJjYWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQw2Sz9J8mZI1\nUMWbG9d0F2nAdbLqLkd25SeTO+t4NivpnbrRNKmj7FMoEWOOkJlax1aT+wWY2Sux\nBKk13HfthaA1MDMGCSqGSIb3DQEJDjEmMCQwIgYDVR0RBBswGYIXY2FyZ3lyaW91\nLVRoaW5rUGFkLVAxNHMwCgYIKoZIzj0EAwIDSAAwRQIhAJlYPNY2kzZSLC8bIBkC\nZqaBYUq3Q3zo6fkMZ0EWeoBxAiA1rCuvL4Jl4xfr5It57U04qDpuNqv4Dej1J4h7\nRldWag==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://test-network-org0-ca-ca.localho.st:443/enroll": read tcp 127.0.0.1:50036->127.0.0.1:443: read: connection reset by peer

Maybe this is not relevant but something seems broken to my network config.