I have created a 2 orgs 1 peer each and one orderer and deployed in docker swarm.
Instead of using cryptogen i have used fabric-ca to generate the identities. I'm able to start the peers and orderers and able to create channel and join both the peers into the channel.
After joining the peers to channel, I could see the orderer logs:
2021-06-30 20:38:02.241 UTC [policies] SignatureSetToValidIdentities -> WARN 1ea invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.242 UTC [policies] SignatureSetToValidIdentities -> WARN 1eb invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.243 UTC [policies] SignatureSetToValidIdentities -> WARN 1ec invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.243 UTC [common.deliver] deliverBlocks -> WARN 1ed [channel: mychannel] Client 10.200.1.4:59232 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:38:02.243 UTC [comm.grpc.server] 1 -> INFO 1ee streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:59232 grpc.code=OK grpc.call_duration=2.409698ms
2021-06-30 20:38:49.480 UTC [policies] SignatureSetToValidIdentities -> WARN 1ef invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [policies] SignatureSetToValidIdentities -> WARN 1f0 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [policies] SignatureSetToValidIdentities -> WARN 1f1 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [common.deliver] deliverBlocks -> WARN 1f2 [channel: mychannel] Client 10.200.1.4:37920 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:38:49.482 UTC [comm.grpc.server] 1 -> INFO 1f3 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:37920 grpc.code=OK grpc.call_duration=2.250383ms
2021-06-30 20:40:58.639 UTC [policies] SignatureSetToValidIdentities -> WARN 1f4 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.640 UTC [policies] SignatureSetToValidIdentities -> WARN 1f5 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.640 UTC [policies] SignatureSetToValidIdentities -> WARN 1f6 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.641 UTC [common.deliver] deliverBlocks -> WARN 1f7 [channel: mychannel] Client 10.200.1.4:59250 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:40:58.641 UTC [comm.grpc.server] 1 -> INFO 1f8 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:59250 grpc.code=OK grpc.call_duration=16.793212ms
peer logs:
2021-06-30 20:40:58.641 UTC [peer.blocksprovider] DeliverBlocks -> WARN 094 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:44:30.298 UTC [peer.blocksprovider] func1 -> WARN 095 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:44:30.298 UTC [peer.blocksprovider] DeliverBlocks -> WARN 096 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:48:44.848 UTC [peer.blocksprovider] DeliverBlocks -> WARN 098 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:48:44.848 UTC [peer.blocksprovider] func1 -> WARN 097 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:53:49.733 UTC [peer.blocksprovider] func1 -> WARN 099 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:53:49.734 UTC [peer.blocksprovider] DeliverBlocks -> WARN 09a Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
configtx.yaml file:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /var/mynetwork/organizations/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer.example.com:7050
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: /var/mynetwork/organizations/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org2MSP
# ID to load the MSP definition as
ID: Org2MSP
MSPDir: /var/mynetwork/organizations/peerOrganizations/org2.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
# Addresses used to be the list of orderer addresses that clients and peers
# could connect to. However, this does not allow clients to associate orderer
# addresses and orderer organizations which can be useful for things such
# as TLS validation. The preferred way to specify orderer addresses is now
# to include the OrdererEndpoints item in your org definition
Addresses:
- orderer.example.com:7050
EtcdRaft:
Consenters:
- Host: orderer.example.com
Port: 7050
ClientTLSCert: /var/mynetwork/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: /var/mynetwork/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
org1 msp cert:
openssl x509 -in /var/mynetwork/organizations/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/signcerts/cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:f4:f1:84:51:df:a1:f1:f7:b2:6d:a2:01:5a:23:58:e3:f1:3d:53
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Validity
Not Before: Jun 29 17:51:00 2021 GMT
Not After : Jun 29 17:56:00 2022 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = admin, CN = org1admin
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d4:19:a3:9b:d9:13:3b:37:03:55:61:46:4f:a5:
f6:ff:e3:74:0d:f8:c4:eb:d9:5b:de:d6:06:dd:36:
3a:bd:82:dc:b3:e3:a2:7e:0e:e7:45:b3:c1:3c:69:
0b:ad:30:95:bb:dc:e8:b3:9a:88:09:5c:b7:d8:79:
ba:58:b3:aa:48
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
42:19:31:0A:C0:08:48:C6:2D:5A:1D:85:FC:E6:42:02:9E:44:74:13
X509v3 Authority Key Identifier:
keyid:48:5D:23:A8:92:AE:71:00:E4:8A:2B:8D:13:D1:CA:62:28:08:5B:5C
X509v3 Subject Alternative Name:
DNS:ubuntupc
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"org1admin","hf.Type":"admin"}}
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:64:c9:28:09:8d:06:f0:b6:68:1a:60:9f:ea:ec:
aa:df:2e:1a:2e:2c:94:bd:0f:60:db:7d:fc:a8:ed:87:f0:9b:
02:20:42:93:f3:c6:b3:b8:40:d2:f7:23:c8:67:5d:ca:fd:a0:
2b:71:ac:1f:4b:f6:f9:ec:33:78:47:48:11:4a:04:eb
Not sure where I'm missing. is anchor peer mandatory for orderer communication ?
Related
I have three node MongoDB cluster in GCP kubernetes cluster following [1], [2]. I can properly connect with tls=false using mongosh client. Then I enabled tls following [3]. Mongo cluster start properly but I cannot connect from mongosh.
Following is the connection details.
{
"connectionString.standard": "mongodb://mongo-user:stl-m0ng0-dev#mongodb-dev-0.mongodb-dev-svc.dev.svc.cluster.local:27017,mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local:27017,mongodb-dev-2.mongodb-dev-svc.dev.svc.cluster.local:27017/dev?replicaSet=mongodb-dev&ssl=true",
"connectionString.standardSrv": "mongodb+srv://mongo-user:stl-m0ng0-dev#mongodb-dev-svc.dev.svc.cluster.local/dev?replicaSet=mongodb-dev&ssl=true",
"password": "xxxxxxx",
"username": "mongo-user"
}
Followings are the certificate details.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
Validity
Not Before: Jul 27 09:07:50 2022 GMT
Not After : Jul 24 09:07:50 2032 GMT
Subject: CN = *.mongodb-dev-svc.dev.svc.cluster.local, O = client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:44:a6:21:95:85:9a:dc:96:63:8e:76:ed:d9:
3a:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-2.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-3.mongodb-dev-svc.dev.svc.cluster.local
Signature Algorithm: sha256WithRSAEncryption
7b:78:43:73:ae:2f:ce:97:de:b2:19:56:4c:38:71:8e:3d:ff:
5b:15:79:c1
Will display server certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
Validity
Not Before: Jul 27 09:07:50 2022 GMT
Not After : Jul 24 09:07:50 2032 GMT
Subject: CN = *.mongodb-dev-svc.dev.svc.cluster.local, O = server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:1e:4a:a7:4f:c4:01:71:2c:78:eb:ac:c9:53:
24:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:mongodb-dev-0.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-2.mongodb-dev-svc.dev.svc.cluster.local
Signature Algorithm: sha256WithRSAEncryption
16:0f:09:02:66:05:69:7b:91:3b:93:73:86:64:d5:8f:53:2d:
08:19:68:a7
Client side has following error
root#xxxxxxxxxxxxxxxxxx-55955c9fcd-bpp98:/usr/src/app# mongosh "mongodb+srv://mongo-user:stl-m0ng0-dev#mongodb-dev-svc.dev.svc.cluster.local/dev?replicaSet=mongodb-dev&ssl=false&tlsCAFile=ca.pem&tlsCertificateKeyFile=key.pem"
Current Mongosh Log ID: 62e1029487b960f1bd204b1d
Connecting to: mongodb+srv://<credentials>#mongodb-dev-svc.dev.svc.cluster.local/dev?replicaSet=mongodb-dev&ssl=false&tlsCAFile=ca.pem&tlsCertificateKeyFile=key.pem&appName=mongosh+1.5.1
MongoServerSelectionError: connection <monitor> to 10.120.6.8:27017 closed
Server side has following error
2022-07-27T09:25:44.992+0000 I NETWORK [conn25852] end connection 10.120.6.9:33914 (14 connections now open)
2022-07-27T09:25:44.993+0000 I NETWORK [listener] connection accepted from 10.120.6.9:33918 #25855 (15 connections now open)
2022-07-27T09:25:44.993+0000 E NETWORK [conn25854] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:44.994+0000 I NETWORK [conn25854] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.8.127:58220 (connection id: 25854)
2022-07-27T09:25:44.994+0000 I NETWORK [conn25854] end connection 10.120.8.127:58220 (14 connections now open)
2022-07-27T09:25:44.995+0000 I NETWORK [listener] connection accepted from 10.120.8.127:58224 #25856 (15 connections now open)
2022-07-27T09:25:44.998+0000 E NETWORK [conn25855] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:44.998+0000 I NETWORK [conn25855] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.6.9:33918 (connection id: 25855)
2022-07-27T09:25:44.998+0000 I NETWORK [conn25855] end connection 10.120.6.9:33918 (14 connections now open)
2022-07-27T09:25:45.000+0000 E NETWORK [conn25856] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:45.000+0000 I NETWORK [conn25856] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.8.127:58224 (connection id: 25856)
2022-07-27T09:25:45.000+0000 I NETWORK [conn25856] end connection 10.120.8.127:58224 (13 connections now open)
2022-07-27T09:25:45.001+0000 I REPL_HB [replexec-2] Heartbeat to mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local:27017 failed after 2 retries, response status: HostUnreachable: stream truncated
2022-07-27T09:25:45.003+0000 I NETWORK [listener] connection accepted from 10.120.8.127:58228 #25858 (14 connections now open)
2022-07-27T09:25:45.007+0000 E NETWORK [conn25858] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:45.007+0000 I NETWORK [conn25858] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.8.127:58228 (connection id: 25858)
2022-07-27T09:25:45.007+0000 I NETWORK [conn25858] end connection 10.120.8.127:58228 (13 connections now open)
Operator log has TLS configuration issue.
2022-07-27T10:06:05.893Z INFO controllers/mongodb_status_options.go:110 TLS config is not yet valid, retrying in 10 seconds
2022-07-27T10:06:15.899Z INFO controllers/replica_set_controller.go:140 Reconciling MongoDB {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG controllers/replica_set_controller.go:142 Validating MongoDB.Spec {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG controllers/replica_set_controller.go:151 Ensuring the service exists {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/agent_readiness.go:101 The Pod '' doesn't have annotation 'agent.mongodb.com/version' yet {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/agent_readiness.go:101 The Pod '' doesn't have annotation 'agent.mongodb.com/version' yet {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/agent_readiness.go:101 The Pod '' doesn't have annotation 'agent.mongodb.com/version' yet {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/replica_set_port_manager.go:122 No port change required {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.906Z INFO controllers/replica_set_controller.go:462 Create/Update operation succeeded {"ReplicaSet": "dev/mongodb-replica-set","operation": "updated"}
2022-07-27T10:06:15.906Z INFO controllers/mongodb_tls.go:40 Ensuring TLS is correctly configured {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.906Z WARN controllers/mongodb_tls.go:47 CA resource not found: Secret "tls-ca-key-pair" not found {"ReplicaSet": "dev/mongodb-replica-set"}
[1]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/install-upgrade.md
[2]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/deploy-configure.md
[3]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/secure.md
It had two main reasons.
I followed [1] to enable SSL. It create another Statefulset. After that there are two mongo servers. Uninstall operator and re-install and followed last stable release documentation [2]. After it properly detect configmap and secret.
But it gave SSL issue in certificates as Unsupported Certificate in server modules. Following [3] found the issue. We need to remove extended_key_useage from openssl.conf. Otherwise it not work properly.
Important thread [4]
Hope this help.
[1]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/master/docs/secure.md
[2]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/secure.md
[3]. https://stackoverflow.com/a/61964464/5607943
[4]. https://groups.google.com/g/mongodb-user/c/EmESxx5KK9Q/m/xH6Ul7fTBQAJ
I have been trying to deploy a hyperledger fabric model with 3 CAs 1 orderer and 2 peer nodes. I am able to create the channel with OSADMIN command of fabric but when I try to join the channel with peer node, I get Error: error getting endorser client for channel: endorser client failed to connect to peer-govt:7051: failed to create new connection: context...... .
Here are the logs from terminal (local host machine):
2021-06-01 06:38:54.509 UTC [common.tools.configtxgen] main -> INFO 001 Loading configuration
2021-06-01 06:38:54.522 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 002 orderer type: etcdraft
2021-06-01 06:38:54.522 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 003 Orderer.EtcdRaft.Options unset, setting to tick_interval:"500ms" election_tick:10 heartbeat_tick:1 max_inflight_blocks:5 snapshot_interval_size:16777216
2021-06-01 06:38:54.522 UTC [common.tools.configtxgen.localconfig] Load -> INFO 004 Loaded configuration: /etc/hyperledger/clipod/configtx/configtx.yaml
2021-06-01 06:38:54.712 UTC [common.tools.configtxgen] doOutputBlock -> INFO 005 Generating genesis block
2021-06-01 06:38:54.712 UTC [common.tools.configtxgen] doOutputBlock -> INFO 006 Creating application channel genesis block
2021-06-01 06:38:54.712 UTC [common.tools.configtxgen] doOutputBlock -> INFO 007 Writing genesis block
cli-dd4cc5fbf-pdcgb
Status: 201
{
"name": "commonchannel",
"url": "/participation/v1/channels/commonchannel",
"consensusRelation": "consenter",
"status": "active",
"height": 1
}
cli-dd4cc5fbf-pdcgb
Error: error getting endorser client for channel: endorser client failed to connect to peer-govt:7051: failed to create new connection: context deadline exceeded
command terminated with exit code 1
Error: error getting endorser client for channel: endorser client failed to connect to peer-general:9051: failed to create new connection: context deadline exceeded
command terminated with exit code 1
One thing to note down here is I am using Kubernetes and service CLUSTER_IP for all the PODS.
here are logs from one of the PEER POD (same for other)
2021-06-01 06:38:42.180 UTC [nodeCmd] registerDiscoveryService -> INFO 01b Discovery service activated
2021-06-01 06:38:42.180 UTC [nodeCmd] serve -> INFO 01c Starting peer with ID=[peer-govt], network ID=[dev], address=[peer-govt:7051]
2021-06-01 06:38:42.180 UTC [nodeCmd] func6 -> INFO 01d Starting profiling server with listenAddress = 0.0.0.0:6060
2021-06-01 06:38:42.180 UTC [nodeCmd] serve -> INFO 01e Started peer with ID=[peer-govt], network ID=[dev], address=[peer-govt:7051]
2021-06-01 06:38:42.181 UTC [kvledger] LoadPreResetHeight -> INFO 01f Loading prereset height from path [/var/hyperledger/production/ledgersData/chains]
2021-06-01 06:38:42.181 UTC [blkstorage] preResetHtFiles -> INFO 020 No active channels passed
2021-06-01 06:38:56.006 UTC [core.comm] ServerHandshake -> ERRO 021 Server TLS handshake failed in 24.669µs with error tls: first record does not look like a TLS handshake server=PeerServer remoteaddress=172.17.0.1:13258
2021-06-01 06:38:57.007 UTC [core.comm] ServerHandshake -> ERRO 022 Server TLS handshake failed in 17.772µs with error tls: first record does not look like a TLS handshake server=PeerServer remoteaddress=172.17.0.1:29568
2021-06-01 06:38:58.903 UTC [core.comm] ServerHandshake -> ERRO 023 Server TLS handshake failed in 13.581µs with error tls: first record does not look like a TLS handshake server=PeerServer remoteaddress=172.17.0.1:32615
To overcome this issue, I tried disabling the TLS by setting CORE_PEER_TLS_ENABLED to FALSE
then the proposal gets submitted but the orderer POD throws the same error of TLS handshake failed.........
Here are the commands I am using to join the channel from cli pod:
kubectl -n hyperledger -it exec $CLI_POD -- sh -c "export FABRIC_CFG_PATH=/etc/hyperledger/clipod/config && export CORE_PEER_LOCALMSPID=GeneralMSP && export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/clipod/organizations/peerOrganizations/general.example.com/peers/peer0.general.example.com/tls/ca.crt && export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/clipod/organizations/peerOrganizations/general.example.com/users/Admin#general.example.com/msp && export CORE_PEER_ADDRESS=peer-general:9051 && peer channel join -b /etc/hyperledger/clipod/channel-artifacts/$CHANNEL_NAME.block -o orderer:7050 --tls --cafile /etc/hyperledger/clipod/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
I am stuck on this problem, any help will be appreciated.
Thank you
I have fixed it. The issue I was facing was because of not setting the CORE_PEER_TLS_ENABLED = true for CLI pod.
One thing I have got learn from this whole model, whenever you see TLS issue, first to check for would be checking CORE_PEER_TLS_ENABLED variable. Make sure you have set it for all the pods or containers you are trying to interact with. The case can be false(for no TLS) or true(for using TLS) depending on your deployment.
Other things to keep in mind is using the correct variables of fabric including FABRIC_CFG_PATH, CORE_PEER_LOCALMSPID, CORE_PEER_TLS_ROOTCERT_FILE, CORE_PEER_MSPCONFIGPATH and some others depending on your command.
I have installed Strimzi Kafka and created TLS enabled cluster as follows:
listeners:
plain: {}
tls:
authentication:
type: tls
The Kafka cluster CA certificate created automatically and looks like this:
Entry type: trustedCertEntry
Owner: CN=cluster-ca v0, O=io.strimzi
Issuer: CN=cluster-ca v0, O=io.strimzi
Serial number: def376173b64bf84
Valid from: Tue Jan 26 23:25:07 MSK 2021 until: Wed Jan 26 23:25:07 MSK 2022
Certificate fingerprints:
SHA1: 4D:AA:27:0F:84:61:88:D0:B8:1C:CB:9A:DD:5F:D3:E8:3D:52:B4:65
The question is: what should I do after a year passed (as the certificate automatically created with 1 year period). I use TLS authentication for the clients (producers/consumers) -- and as a result I add this certificate to SSL truststore on the client side. What should I need on the client after a year passed? I guess update truststore with new cluster CA certificate?
The CA will be automatically renewed by Strimzi. You can just update your truststore and keep using your cluster. If you prefer, you can also provide your own certificate for the listener: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str or your own CA: https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str
After starting the image, orderer cannot start normally
2021-02-02 11:17:13.897 UTC [orderer.common.server] Main -> PANI 005 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: Attempted to define two different versions of MSP: OrgcppMSP
panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: Attempted to define two different versions of MSP: OrgcppMSP```
I'm following the tutorial as-is given here - http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html
I'm working on Mac OS : High Sierra.
I'm getting error as below:
Error: Error endorsing chaincode: rpc error: code = Unknown desc =
timeout expired while starting chaincode
fabcar:1.0(networkid:dev,peerid:peer0.org1.example.com,tx:c51ca82792bd8823a60edf9c31a550836fc8932a90a2a4cec8b9c37ba24c46ea)
Thanks for the help.
command: ./startFabric.sh node
complete logs:
# don't rewrite paths for Windows Git Bash users
export MSYS_NO_PATHCONV=1
docker-compose -f docker-compose.yml down
Stopping peer0.org1.example.com ... done
Stopping orderer.example.com ... done
Stopping ca.example.com ... done
Stopping couchdb ... done
Removing peer0.org1.example.com ... done
Removing orderer.example.com ... done
Removing ca.example.com ... done
Removing couchdb ... done
Removing network net_basic
docker-compose -f docker-compose.yml up -d ca.example.com orderer.example.com
peer0.org1.example.com couchdb
Creating network "net_basic" with the default driver
Creating orderer.example.com ... done
Creating ca.example.com ... done
Creating couchdb ... done
Creating peer0.org1.example.com ... done
# wait for Hyperledger Fabric to start
# incase of errors when running later commands, issue export
FABRIC_START_TIMEOUT=<larger number>
export FABRIC_START_TIMEOUT=10
#echo ${FABRIC_START_TIMEOUT}
sleep ${FABRIC_START_TIMEOUT}
# Create the channel
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e
"CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp"
peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c
mychannel -f /etc/hyperledger/configtx/channel.tx
2018-05-03 17:56:04.275 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser
and orderer connections initialized
2018-05-03 17:56:04.392 UTC [channelCmd] InitCmdFactory -> INFO 002 Endorser
and orderer connections initialized
2018-05-03 17:56:04.621 UTC [main] main -> INFO 003 Exiting.....
# Join peer0.org1.example.com to the channel.
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e
"CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp"
peer0.org1.example.com peer channel join -b mychannel.block
2018-05-03 17:56:04.861 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser
and orderer connections initialized
2018-05-03 17:56:05.018 UTC [channelCmd] executeJoin -> INFO 002 Successfully
submitted proposal to join channel
2018-05-03 17:56:05.018 UTC [main] main -> INFO 003 Exiting.....
Creating cli ... done
2018-05-03 17:56:06.745 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing
local MSP
2018-05-03 17:56:06.745 UTC [msp] GetDefaultSigningIdentity -> DEBU 002
Obtaining default signing identity
2018-05-03 17:56:06.746 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003
Using default escc
2018-05-03 17:56:06.746 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004
Using default vscc
2018-05-03 17:56:06.746 UTC [chaincodeCmd] getChaincodeSpec -> DEBU 005 java
chaincode disabled
2018-05-03 17:56:06.749 UTC [node-platform] GetDeploymentPayload -> DEBU 006
Packaging node.js project from path /opt/gopath/src/github.com/fabcar/node
2018-05-03 17:56:06.749 UTC [container] WriteFolderToTarPackage -> INFO 007
rootDirectory = /opt/gopath/src/github.com/fabcar/node
2018-05-03 17:56:06.752 UTC [container] WriteFileToPackage -> DEBU 008 Writing
file to tarball: src/fabcar.js
2018-05-03 17:56:06.762 UTC [container] WriteFileToPackage -> DEBU 009 Writing
file to tarball: src/package.json
2018-05-03 17:56:06.765 UTC [msp/identity] Sign -> DEBU 00a Sign: plaintext:
0A9C070A5C08031A0C08B69AADD70510...C1F84F000000FFFF22CB6E3A001E0000
2018-05-03 17:56:06.765 UTC [msp/identity] Sign -> DEBU 00b Sign: digest:
CAD5821E4354EA410ED3567BE82D12813B469783B96FB8EEE2A1B4416A323B76
2018-05-03 17:56:06.816 UTC [chaincodeCmd] install -> DEBU 00c Installed
remotely response:<status:200 payload:"OK" >
2018-05-03 17:56:06.816 UTC [main] main -> INFO 00d Exiting.....
2018-05-03 17:56:07.116 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing
local MSP
2018-05-03 17:56:07.116 UTC [msp] GetDefaultSigningIdentity -> DEBU 002
Obtaining default signing identity
2018-05-03 17:56:07.121 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003
Using default escc
2018-05-03 17:56:07.121 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004
Using default vscc
2018-05-03 17:56:07.123 UTC [chaincodeCmd] getChaincodeSpec -> DEBU 005 java
chaincode disabled
2018-05-03 17:56:07.125 UTC [msp/identity] Sign -> DEBU 006 Sign: plaintext:
0AA6070A6608031A0B08B79AADD70510...324D53500A04657363630A0476736363
2018-05-03 17:56:07.126 UTC [msp/identity] Sign -> DEBU 007 Sign: digest:
7574A79A053907A7CD90E656B612CE20AA80E95067403F097B3F6185EC25D329
Error: Error endorsing chaincode: rpc error: code = Unknown desc = timeout
expired while starting chaincode fabcar:1.0(networkid:dev,peerid:peer0.org1.example.com,tx:c51ca82792bd8823a60edf9c31a550836fc8932a90a2a4cec8b9c37ba24c46ea)
Usage:
peer chaincode instantiate [flags]
Flags:
-C, --channelID string The channel on which this command should be executed
--collections-config string The file containing the configuration for the chaincode's collection
-c, --ctor string Constructor message for the chaincode in JSON format (default "{}")
-E, --escc string The name of the endorsement system chaincode to be used for this chaincode
-l, --lang string Language the chaincode is written in (default "golang")
-n, --name string Name of the chaincode
-P, --policy string The endorsement policy associated to this chaincode
-v, --version string Version of the chaincode specified in install/instantiate/upgrade commands
-V, --vscc string The name of the verification system chaincode to be used for this chaincode
Global Flags:
--cafile string Path to file containing PEM-encoded
trusted certificate(s) for the ordering endpoint
--certfile string Path to file containing PEM-encoded
X509 public key to use for mutual TLS communication with the orderer endpoint
--clientauth Use mutual TLS when communicating with
the orderer endpoint
--keyfile string Path to file containing PEM-encoded
private key to use for mutual TLS communication with the orderer endpoint
--logging-level string Default logging level and overrides,
see core.yaml for full syntax
-o, --orderer string Ordering service endpoint
--ordererTLSHostnameOverride string The hostname override to use when
validating the TLS connection to the orderer.
--tls Use TLS when communicating with the
orderer endpoint
--transient string Transient map of arguments in JSON
encoding
Timeout issue is a common issue that occurs during instantiation of a chaincode. What can help you is that after issuing the
peer chaincode instantiate
command or when the logs reach to this state
[chaincodeCmd] install -> DEBU 00c Installed remotely response:<status:200 payload:"OK" >
, in a separate terminal, list the docker containers using
docker ps
You'll notice a container with a random name that you've never heard before and its image (fabric-ccenv) shows that its a secure docker container that is started for establishing chaincode environment. Note the name of the container and tail its logs using
docker logs -f <container-name-here>
now you'll see in the logs that its actually resolving the npm dependencies listed in the chaincode's package.json. The dependency resolution sometimes takes a bit larger than the expected time and hence the fabric runtime exits with the timeout issue. If the fabric script exits with the timeout issue, then you have to exec into the peer docker container and execute the
peer chaincode instantiate [flags]
command manually providing necessary flags and params. In case the dependencies are perfectly resolved, the chaincode will start within seconds this time.
I faced a similar problem. I resolved it by ensuring that docker containers start in the correct order. For example, the orderer container should start before the peers start. If the containers don't start in the right order, I faced problems while creating the channel (SERVICE_UNAVAILABLE) or while instantiating the chaincode(time out error).
I faced the same error. In my case the problem was that the name of project folder was not the same as the network name, these names are somehow related and must be the same. I renamed the folder and the problem was gone.