search

hyperledger / fabric-samples

Samples for Hyperledger Fabric
https://wiki.hyperledger.org/display/fabric
Apache License 2.0
2.77k stars 3.36k forks source link

test-network-k8s: error when Enrolling bootstrap ECert CA users, POST EOF #879

Closed FROOOOOOO closed 1 year ago

FROOOOOOO commented 1 year ago

When installing the kubernetes test network on my local cluster, the network script fails with an error when enrolling bootstrap ECert CA users. I found the command in network script causing the error is in scripts/fabric-CAs.sh:

# Enroll the root CA user
  fabric-ca-client enroll \
    --url https://${RCAADMIN_USER}:${RCAADMIN_PASS}@${CA_NAME}.${DOMAIN}:${NGINX_HTTPS_PORT} \
    --tls.certfiles $TEMP_DIR/cas/${CA_NAME}/tlsca-cert.pem \
    --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp

During network up:

$ ./network up
Launching network "test-network":
✅ - Creating namespace "test-network" ...
✅ - Provisioning volume storage ...
✅ - Creating fabric config maps ...
✅ - Initializing TLS certificate Issuers ...
✅ - Launching Fabric CAs ...
⚠️  - Enrolling bootstrap ECert CA users ...
Error: POST failure of request: POST https://org0-ca.localho.st:443/enroll
{"hosts":["k8s-master"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQzCB6gIBADBgMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxETAPBgNV\nBAMTCHJjYWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3ebLc/0jMZ3I\nVFt+hpePEovPWGsh/DtPSC1nYC1mzXvVF4BCyo64tR9XGxu2nOh4GABsyV625Qor\n5WwzDBXVgaAoMCYGCSqGSIb3DQEJDjEZMBcwFQYDVR0RBA4wDIIKazhzLW1hc3Rl\ncjAKBggqhkjOPQQDAgNIADBFAiEAuc3/2P0FhhOhaz0jTRxsO4tP2VUad2emfaQ5\nEuKcz24CIBKnL50AIRC9FCf/eEsoEkSc4Hnf4tBMwnV+HxpjvkFk\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://org0-ca.localho.st:443/enroll": EOF

And the full log in network-debug.log:

namespace/test-network created
persistentvolumeclaim/fabric-org0 created
persistentvolumeclaim/fabric-org1 created
persistentvolumeclaim/fabric-org2 created
Error from server (NotFound): configmaps "org0-config" not found
Error from server (NotFound): configmaps "org1-config" not found
Error from server (NotFound): configmaps "org2-config" not found
configmap/org0-config created
configmap/org1-config created
configmap/org2-config created
issuer.cert-manager.io/root-tls-cert-issuer created
issuer.cert-manager.io/root-tls-cert-issuer condition met
issuer.cert-manager.io/root-tls-cert-issuer unchanged
issuer.cert-manager.io/root-tls-cert-issuer condition met
issuer.cert-manager.io/root-tls-cert-issuer unchanged
issuer.cert-manager.io/root-tls-cert-issuer condition met
certificate.cert-manager.io/org0-tls-cert-issuer created
issuer.cert-manager.io/org0-tls-cert-issuer created
certificate.cert-manager.io/org1-tls-cert-issuer created
issuer.cert-manager.io/org1-tls-cert-issuer created
certificate.cert-manager.io/org2-tls-cert-issuer created
issuer.cert-manager.io/org2-tls-cert-issuer created
issuer.cert-manager.io/org0-tls-cert-issuer condition met
issuer.cert-manager.io/org1-tls-cert-issuer condition met
issuer.cert-manager.io/org2-tls-cert-issuer condition met
Applying template kube/org0/org0-ca.yaml:
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: org0-ca-tls-cert
spec:
  isCA: false
  privateKey:
    algorithm: ECDSA
    size: 256
  dnsNames:
    - localhost
    - org0-ca
    - org0-ca.test-network.svc.cluster.local
    - org0-ca.localho.st
  ipAddresses:
    - 127.0.0.1
  secretName: org0-ca-tls-cert
  issuerRef:
    name: org0-tls-cert-issuer

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: org0-ca
spec:
  replicas: 1
  selector:
    matchLabels:
      app: org0-ca
  template:
    metadata:
      labels:
        app: org0-ca
    spec:
      containers:
        - name: main
          image: hyperledger/fabric-ca:1.5
          imagePullPolicy: IfNotPresent
          env:
            - name: FABRIC_CA_SERVER_CA_NAME
              value: "org0-ca"
            - name: FABRIC_CA_SERVER_DEBUG
              value: "false"
            - name: FABRIC_CA_SERVER_HOME
              value: "/var/hyperledger/fabric-ca-server"
            - name: FABRIC_CA_SERVER_TLS_CERTFILE
              value: "/var/hyperledger/fabric/config/tls/tls.crt"
            - name: FABRIC_CA_SERVER_TLS_KEYFILE
              value: "/var/hyperledger/fabric/config/tls/tls.key"
            - name: FABRIC_CA_CLIENT_HOME
              value: "/var/hyperledger/fabric-ca-client"
          ports:
            - containerPort: 443
          volumeMounts:
            - name: fabric-volume
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
              subPath: fabric-ca-server-config.yaml
            - name: tls-cert-volume
              mountPath: /var/hyperledger/fabric/config/tls
              readOnly: true
          readinessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 2
            periodSeconds: 5
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
            claimName: fabric-org0
        - name: fabric-config
          configMap:
            name: org0-config
        - name: tls-cert-volume
          secret:
            secretName: org0-ca-tls-cert

---
apiVersion: v1
kind: Service
metadata:
  name: org0-ca
spec:
  ports:
    - name: https
      port: 443
      protocol: TCP
  selector:
    app: org0-ca

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  labels:
    app: org0-ca
  name: org0-ca
spec:
  ingressClassName: nginx
  rules:
    - host: org0-ca.localho.st
      http:
        paths:
          - backend:
              service:
                name: org0-ca
                port:
                  name: https
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
      - org0-ca.localho.st
certificate.cert-manager.io/org0-ca-tls-cert created
deployment.apps/org0-ca created
service/org0-ca created
ingress.networking.k8s.io/org0-ca created
Applying template kube/org1/org1-ca.yaml:
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: org1-ca-tls-cert
spec:
  isCA: false
  privateKey:
    algorithm: ECDSA
    size: 256
  dnsNames:
    - localhost
    - org1-ca
    - org1-ca.test-network.svc.cluster.local
    - org1-ca.localho.st
  ipAddresses:
    - 127.0.0.1
  secretName: org1-ca-tls-cert
  issuerRef:
    name: org1-tls-cert-issuer

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: org1-ca
spec:
  replicas: 1
  selector:
    matchLabels:
      app: org1-ca
  template:
    metadata:
      labels:
        app: org1-ca
    spec:
      containers:
        - name: main
          image: hyperledger/fabric-ca:1.5
          imagePullPolicy: IfNotPresent
          env:
            - name: FABRIC_CA_SERVER_CA_NAME
              value: "org1-ca"
            - name: FABRIC_CA_SERVER_DEBUG
              value: "false"
            - name: FABRIC_CA_SERVER_HOME
              value: "/var/hyperledger/fabric-ca-server"
            - name: FABRIC_CA_SERVER_TLS_CERTFILE
              value: "/var/hyperledger/fabric/config/tls/tls.crt"
            - name: FABRIC_CA_SERVER_TLS_KEYFILE
              value: "/var/hyperledger/fabric/config/tls/tls.key"
            - name: FABRIC_CA_CLIENT_HOME
              value: "/var/hyperledger/fabric-ca-client"
          ports:
            - containerPort: 443
          volumeMounts:
            - name: fabric-volume
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
              subPath: fabric-ca-server-config.yaml
            - name: tls-cert-volume
              mountPath: /var/hyperledger/fabric/config/tls
              readOnly: true
          readinessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 2
            periodSeconds: 5
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
            claimName: fabric-org1
        - name: fabric-config
          configMap:
            name: org1-config
        - name: tls-cert-volume
          secret:
            secretName: org1-ca-tls-cert
---
apiVersion: v1
kind: Service
metadata:
  name: org1-ca
spec:
  ports:
    - name: https
      port: 443
      protocol: TCP
  selector:
    app: org1-ca

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  labels:
    app: org1-ca
  name: org1-ca
spec:
  ingressClassName: nginx
  rules:
    - host: org1-ca.localho.st
      http:
        paths:
          - backend:
              service:
                name: org1-ca
                port:
                  name: https
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - org1-ca.localho.st
  certificate.cert-manager.io/org1-ca-tls-cert created
deployment.apps/org1-ca created
service/org1-ca created
ingress.networking.k8s.io/org1-ca created
Applying template kube/org2/org2-ca.yaml:
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: org2-ca-tls-cert
spec:
  isCA: false
  privateKey:
    algorithm: ECDSA
    size: 256
  dnsNames:
    - localhost
    - org2-ca
    - org2-ca.test-network.svc.cluster.local
    - org2-ca.localho.st
  ipAddresses:
    - 127.0.0.1
  secretName: org2-ca-tls-cert
  issuerRef:
    name: org2-tls-cert-issuer

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: org2-ca
spec:
  replicas: 1
  selector:
    matchLabels:
      app: org2-ca
  template:
    metadata:
      labels:
        app: org2-ca
    spec:
      containers:
        - name: main
          image: hyperledger/fabric-ca:1.5
          imagePullPolicy: IfNotPresent
          env:
            - name: FABRIC_CA_SERVER_CA_NAME
              value: "org2-ca"
            - name: FABRIC_CA_SERVER_DEBUG
              value: "false"
            - name: FABRIC_CA_SERVER_HOME
              value: "/var/hyperledger/fabric-ca-server"
            - name: FABRIC_CA_SERVER_TLS_CERTFILE
              value: "/var/hyperledger/fabric/config/tls/tls.crt"
            - name: FABRIC_CA_SERVER_TLS_KEYFILE
              value: "/var/hyperledger/fabric/config/tls/tls.key"
            - name: FABRIC_CA_CLIENT_HOME
              value: "/var/hyperledger/fabric-ca-client"
          ports:
            - containerPort: 443
          volumeMounts:
            - name: fabric-volume
              mountPath: /var/hyperledger
            - name: fabric-config
              mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
              subPath: fabric-ca-server-config.yaml
            - name: tls-cert-volume
              mountPath: /var/hyperledger/fabric/config/tls
              readOnly: true
          readinessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 2
            periodSeconds: 5
      volumes:
        - name: fabric-volume
          persistentVolumeClaim:
            claimName: fabric-org2
        - name: fabric-config
          configMap:
            name: org2-config
        - name: tls-cert-volume
          secret:
            secretName: org2-ca-tls-cert
---
apiVersion: v1
kind: Service
metadata:
  name: org2-ca
spec:
  ports:
    - name: https
      port: 443
      protocol: TCP
  selector:
    app: org2-ca

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  labels:
    app: org2-ca
  name: org2-ca
spec:
  ingressClassName: nginx
  rules:
    - host: org2-ca.localho.st
      http:
        paths:
          - backend:
              service:
                name: org2-ca
                port:
                  name: https
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - org2-ca.localho.st
    certificate.cert-manager.io/org2-ca-tls-cert created
deployment.apps/org2-ca created
service/org2-ca created
ingress.networking.k8s.io/org2-ca created
Waiting for deployment "org0-ca" rollout to finish: 0 of 1 updated replicas are available...
deployment "org0-ca" successfully rolled out
Waiting for deployment "org1-ca" rollout to finish: 0 of 1 updated replicas are available...
deployment "org1-ca" successfully rolled out
Waiting for deployment "org2-ca" rollout to finish: 0 of 1 updated replicas are available...
deployment "org2-ca" successfully rolled out
retrieving org0-ca TLS root cert
2022/12/05 22:49:57 [INFO] TLS Enabled
2022/12/05 22:49:57 [INFO] generating key: &{A:ecdsa S:256}
2022/12/05 22:49:57 [INFO] encoded CSR
Error: POST failure of request: POST https://org0-ca.localho.st:443/enroll
{"hosts":["k8s-master"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQzCB6gIBADBgMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxETAPBgNV\nBAMTCHJjYWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3ebLc/0jMZ3I\nVFt+hpePEovPWGsh/DtPSC1nYC1mzXvVF4BCyo64tR9XGxu2nOh4GABsyV625Qor\n5WwzDBXVgaAoMCYGCSqGSIb3DQEJDjEZMBcwFQYDVR0RBA4wDIIKazhzLW1hc3Rl\ncjAKBggqhkjOPQQDAgNIADBFAiEAuc3/2P0FhhOhaz0jTRxsO4tP2VUad2emfaQ5\nEuKcz24CIBKnL50AIRC9FCf/eEsoEkSc4Hnf4tBMwnV+HxpjvkFk\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://org0-ca.localho.st:443/enroll": EOF

Steps to reproduce:

  1. git clone https://github.com/hyperledger/fabric-samples.git && cd fabric-samples/test-network-k8s
  2. ./network cluster init
  3. ./network up

My cluster status after steps above:

$ kubectl get nodes -o wide            
NAME             STATUS   ROLES                  AGE   VERSION                    INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION                CONTAINER-RUNTIME
k8s-cloudnode1   Ready    <none>                 27d   v1.23.8                    192.168.12.128   <none>        CentOS Linux 7 (Core)   3.10.0-1160.el7.x86_64        docker://20.10.21
k8s-edgenode1    Ready    agent,edge             27d   v1.22.6-kubeedge-v1.10.3   192.168.12.138   <none>        CentOS Linux 7 (Core)   3.10.0-1160.76.1.el7.x86_64   docker://20.10.21
k8s-edgenode2    Ready    agent,edge             27d   v1.22.6-kubeedge-v1.10.3   192.168.12.130   <none>        CentOS Linux 7 (Core)   3.10.0-1160.76.1.el7.x86_64   docker://20.10.18
k8s-master       Ready    control-plane,master   27d   v1.23.8                    192.168.12.127   <none>        CentOS Linux 7 (Core)   3.10.0-1160.el7.x86_64        docker://20.10.21

$ kubectl -n cert-manager get all -o wide
NAME                                          READY   STATUS    RESTARTS   AGE   IP               NODE             NOMINATED NODE   READINESS GATES
pod/cert-manager-cainjector-8c7796555-7gzbz   1/1     Running   0          41h   10.244.237.129   k8s-cloudnode1   <none>           <none>
pod/cert-manager-cdc85d4c4-gct6c              1/1     Running   0          41h   10.244.237.184   k8s-cloudnode1   <none>           <none>
pod/cert-manager-webhook-55f45df998-rzh8v     1/1     Running   0          41h   10.244.237.132   k8s-cloudnode1   <none>           <none>

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE   SELECTOR
service/cert-manager           ClusterIP   10.96.109.90    <none>        9402/TCP   41h   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager
service/cert-manager-webhook   ClusterIP   10.107.93.100   <none>        443/TCP    41h   app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS     IMAGES                                            SELECTOR
deployment.apps/cert-manager              1/1     1            1           41h   cert-manager   quay.io/jetstack/cert-manager-controller:v1.6.1   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager
deployment.apps/cert-manager-cainjector   1/1     1            1           41h   cert-manager   quay.io/jetstack/cert-manager-cainjector:v1.6.1   app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector
deployment.apps/cert-manager-webhook      1/1     1            1           41h   cert-manager   quay.io/jetstack/cert-manager-webhook:v1.6.1      app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook

NAME                                                DESIRED   CURRENT   READY   AGE   CONTAINERS     IMAGES                                            SELECTOR
replicaset.apps/cert-manager-cainjector-8c7796555   1         1         1       41h   cert-manager   quay.io/jetstack/cert-manager-cainjector:v1.6.1   app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector,pod-template-hash=8c7796555
replicaset.apps/cert-manager-cdc85d4c4              1         1         1       41h   cert-manager   quay.io/jetstack/cert-manager-controller:v1.6.1   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager,pod-template-hash=cdc85d4c4
replicaset.apps/cert-manager-webhook-55f45df998     1         1         1       41h   cert-manager   quay.io/jetstack/cert-manager-webhook:v1.6.1      app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook,pod-template-hash=55f45df998

$ kubectl -n ingress-nginx get all -o wide 
NAME                                            READY   STATUS      RESTARTS   AGE   IP               NODE             NOMINATED NODE   READINESS GATES
pod/ingress-nginx-admission-create-lkvcf        0/1     Completed   0          41h   10.244.237.191   k8s-cloudnode1   <none>           <none>
pod/ingress-nginx-admission-patch-27vmp         0/1     Completed   0          41h   10.244.237.147   k8s-cloudnode1   <none>           <none>
pod/ingress-nginx-controller-546df8869b-m4br5   1/1     Running     0          41h   10.244.235.219   k8s-master       <none>           <none>

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE   SELECTOR
service/ingress-nginx-controller             NodePort    10.97.191.210    <none>        80:30971/TCP,443:31632/TCP   41h   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
service/ingress-nginx-controller-admission   ClusterIP   10.100.139.129   <none>        443/TCP                      41h   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                                          SELECTOR
deployment.apps/ingress-nginx-controller   1/1     1            1           41h   controller   willdockerhub/ingress-nginx-controller:v1.1.2   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx

NAME                                                  DESIRED   CURRENT   READY   AGE   CONTAINERS   IMAGES                                          SELECTOR
replicaset.apps/ingress-nginx-controller-546df8869b   1         1         1       41h   controller   willdockerhub/ingress-nginx-controller:v1.1.2   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,pod-template-hash=546df8869b

NAME                                       COMPLETIONS   DURATION   AGE   CONTAINERS   IMAGES                                SELECTOR
job.batch/ingress-nginx-admission-create   1/1           5s         41h   create       liangjw/kube-webhook-certgen:v1.1.1   controller-uid=0ede5d2f-5251-4726-948f-4622294bea37
job.batch/ingress-nginx-admission-patch    1/1           5s         41h   patch        liangjw/kube-webhook-certgen:v1.1.1   controller-uid=9234c051-a0b4-4b25-8203-dd6b5bb49f99

$ kubectl -n test-network get all -o wide
NAME                           READY   STATUS    RESTARTS   AGE   IP               NODE             NOMINATED NODE   READINESS GATES
pod/org0-ca-784c554bc8-7xckm   1/1     Running   0          17h   10.244.237.163   k8s-cloudnode1   <none>           <none>
pod/org1-ca-6b88f99cfc-nqwsn   1/1     Running   0          17h   10.244.237.167   k8s-cloudnode1   <none>           <none>
pod/org2-ca-6fbf9cbc88-wr2fv   1/1     Running   0          17h   10.244.237.166   k8s-cloudnode1   <none>           <none>

NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE   SELECTOR
service/org0-ca   ClusterIP   10.103.85.6     <none>        443/TCP   17h   app=org0-ca
service/org1-ca   ClusterIP   10.99.143.255   <none>        443/TCP   17h   app=org1-ca
service/org2-ca   ClusterIP   10.103.155.15   <none>        443/TCP   17h   app=org2-ca

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                      SELECTOR
deployment.apps/org0-ca   1/1     1            1           17h   main         hyperledger/fabric-ca:1.5   app=org0-ca
deployment.apps/org1-ca   1/1     1            1           17h   main         hyperledger/fabric-ca:1.5   app=org1-ca
deployment.apps/org2-ca   1/1     1            1           17h   main         hyperledger/fabric-ca:1.5   app=org2-ca

NAME                                 DESIRED   CURRENT   READY   AGE   CONTAINERS   IMAGES                      SELECTOR
replicaset.apps/org0-ca-784c554bc8   1         1         1       17h   main         hyperledger/fabric-ca:1.5   app=org0-ca,pod-template-hash=784c554bc8
replicaset.apps/org1-ca-6b88f99cfc   1         1         1       17h   main         hyperledger/fabric-ca:1.5   app=org1-ca,pod-template-hash=6b88f99cfc
replicaset.apps/org2-ca-6fbf9cbc88   1         1         1       17h   main         hyperledger/fabric-ca:1.5   app=org2-ca,pod-template-hash=6fbf9cbc88
papandas commented 1 year ago

I am also facing the same problem. However, I am tring to deploy it on AWS EKS, but stuck on this same point.

My error message says: x509: certificate signed by unknown authority


2023/02/27 17:05:46 [INFO] TLS Enabled
2023/02/27 17:05:46 [INFO] generating key: &{A:ecdsa S:256}
2023/02/27 17:05:46 [INFO] encoded CSR
Error: POST failure of request: POST https://org0-ca.${DOMAIN}:443/enroll
{"hosts":["${HOSTNAME}"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBUTCB+AIBADBgMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxETAPBgNV\nBAMTCHJjYWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4wjzbnOrAQdb\netKh1+bj96+7KkMSwTF8lQkCUhjGRhdhZzd4snBFpdvTT8eJlMtHnfESCckepFpY\nq5k+cyaEXKA2MDQGCSqGSIb3DQEJDjEnMCUwIwYDVR0RBBwwGoIYUGFwYW5zLU1h\nY0Jvb2stUHJvLmxvY2FsMAoGCCqGSM49BAMCA0gAMEUCIQCZ4ZFGZgrnKQy1jWqN\nEhOWjxa6cQ/Pe5YFDHf4koZX1wIgCANHNuIvVaFMCeEMzXnCmeUlAuWp/sv0S/X5\nos+nzmg=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://org0-ca.${DOMAIN}:443/enroll": x509: certificate signed by unknown authority```
papandas commented 1 year ago

Hi @FROOOOOOO

I went ahead to create ExternalDNS records on AWS. That did solved the problem you are having. But then I run into another, which I mentioned above.

Just wondering, if you got this fixed.

FROOOOOOO commented 1 year ago

Hi @FROOOOOOO

I went ahead to create ExternalDNS records on AWS. That did solved the problem you are having. But then I run into another, which I mentioned above.

Just wondering, if you got this fixed.

Thanks for reply, I have retried the process using Kind cluster and it works fine. Then I switched to hlf operator for deployment.