search

hyperledger / bevel-operator-fabric

Hyperledger Fabric Kubernetes operator - Hyperledger Fabric operator for Kubernetes (v2.3, v2.4 and v2.5, soon 3.0)
https://hyperledger.github.io/bevel-operator-fabric/
Apache License 2.0
271 stars 91 forks source link

SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. #125

Closed JohanIskandar closed 1 year ago

JohanIskandar commented 1 year ago

Hello,

I am following the tutorial at https://github.com/hyperledger-labs/hlf-operator and when at the stage running the following curl I got an error. I am using MacOs Bigsur, everything is on localhost, using kinD cluster with hlf-operator v1.8, have updated krew. I followed all the instructions except

Ensure you have these ports available before creating the cluster: 80 443

because I think it runs locally

Here is the command that I run

curl -vik https://peer0-org1.localho.st:443 

* Uses proxy env variable NO_PROXY == 'localhost,127.0.0.1'
*   Trying ::1...
* TCP_NODELAY set
* Connected to peer0-org1.localho.st (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=peer; CN=peer
*  start date: Nov  3 16:36:00 2022 GMT
*  expire date: Nov  3 16:41:00 2023 GMT
*  issuer: C=ES; L=Alicante; street=Alicante; O=Kung Fu Software; OU=Tech; CN=tlsca
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc768808200)
> GET / HTTP/2
> Host: peer0-org1.localho.st
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
* HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
* stopped the pause stream!
* Connection #0 to host peer0-org1.localho.st left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
* Closing connection 0

Note that:

curl -k https://org1-ca.localho.st:443/cainfo (returns Json results) curl -vik https://peer0-org1.localho.st:443 (does not return Json results) curl -vik https://ord-ca.localho.st:443/cainfo (returns Json results) curl -vik https://orderer0-ord.localho.st:443 (does not return Json results)

I guess that peer create does not get the certificate

image

Please let me know what causes the problem and how to fix it. At this stage, I do not how how to debug it. I just want to be able to deploy my chain code but since that I got the certificate issues then the installation of chaincode does not work.

Thank you all in advance

regards,

Johan

alialdemir commented 1 year ago

I'm having the similar problem. How will we solve it?

JohanIskandar commented 1 year ago

I upgrade to use version 1.8

dviejokfs commented 1 year ago

New documentation will include OpenSSL commands for the verification of the peers and orderers. CA returns JSON because it's an HTTP server; peers and orderers are GRPC servers.

The fact that it replies with:

HTTP/2 stream 0 was not closed cleanly:

It's good since that means peers/orderers are responding