Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running ./kfg - x509: certificate signed by unknown authority #3

Open
lcvalves opened this issue Nov 16, 2021 · 4 comments · Fixed by #4
Open

Running ./kfg - x509: certificate signed by unknown authority #3

lcvalves opened this issue Nov 16, 2021 · 4 comments · Fixed by #4

Comments

@lcvalves
Copy link

Hi, i'm testing out this repo with the asset-transfer-basic fabric sample chaincode and got into some issues along the way. I've been following this video and successfully built the kfg executable and exported my env variables correctly as mentioned in the repo's golang README.md (this includes APIKEY, KALEIDO_URL, USER_ID, etc...).

However, when I run ./kfg, I get the following log:

Failed to enroll. enroll failed: enroll failed: POST failure of request: POST https://e1tdu0bm87-e1xr4k4e7z-fabric-ca.eu1-azure.kaleido.io/enroll
{"hosts":null,"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIH4MIGgAgEAMBExDzANBgNVBAMTBnVzZXIwMjBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABA7jL21BgWdsJ9IcxgaNkTBtoK6qMDsdzg136ay9eTWypnHsKf30tzre\nScaotYPHhdSPT5HAFsMoC6Z+hleVb/egLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1Ud\nEQQTMBGCD0RFU0tUT1AtOTdTTTk1ODAKBggqhkjOPQQDAgNHADBEAiEAwBMigHlm\nKQijL0LOXeU+pp0i3cdO0g5slRQOZ9+aMswCH0Z44x1tZcJhOIVRPCgwvF0rY8T6\nnqcjOp0iXrnKfro=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://e1tdu0bm87-e1xr4k4e7z-fabric-ca.eu1-azure.kaleido.io/enroll": x509: certificate signed by unknown authority
Failed to enroll user user02

I'm guessing the error comes from x509: certificate signed by unknown authority, so I made sure to confirm the client's membership identity with a Self-Signed x509 CA on the Kaleido Platform. The error still came up and so I tried to estabilish its identity on-chain but this functionality isn't available on Fabric.

Also, everytime I get this log output, I increment my USER_ID by 1 so it can properly (try to) enroll a new user.

How could I fix this? My end goal is to invoke the uploaded asset-transfer-basic chaincode so I can then test out my own contracts on the platform.
@jimthematrix
Copy link
Contributor

thanks @lcvalves for reporting the error. It turns out that the TLS CA cert resources/kaleido_ca.pem needed to be updated due to the certificate being updated on the platform.

I just checked in an updated CA cert. Please try it out and let us know if you still encounter problems.

@jimthematrix jimthematrix mentioned this issue Nov 17, 2021
Merged
@lcvalves
Copy link
Author

Hi @jimthematrix

I've tried restarting the process in different ways but failed to get through the aforementioned stage. Pulled the new commit to fix the CA cert, restarted the environment with new env variables, and still got stuck on a similar log

Failed to enroll. enroll failed: enroll failed: POST failure of request: POST https://e1jzw3m5gv-e1tql5qrgl-fabric-ca.eu1-azure.kaleido.io/enroll {"hosts":null,"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIH5MIGgAgEAMBExDzANBgNVBAMTBnVzZXIwMTBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABOeufzUBt54W6ugbbe/GIFowzosA4v42ZgTP+ZgU+HOw9uHYVWdc3ry0\nJUAKy7GQYvNi2C80mxk9kaNug8xjHaegLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1Ud\nEQQTMBGCD0RFU0tUT1AtOTdTTTk1ODAKBggqhkjOPQQDAgNIADBFAiEApzIif5gf\nM29yjCXzegmADLiyDXZU6YEArs8Kgb7XSIsCIH5AipwJarIGgeEDzDD2baUKOGad\nXRn8SErtyqbME0Le\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://e1jzw3m5gv-e1tql5qrgl-fabric-ca.eu1-azure.kaleido.io/enroll": x509: certificate signed by unknown authority

@jimthematrix
Copy link
Contributor

I was able to try it successfully against a Kaleido network in Paris (francecentral):

jimzhang$ export APIKEY=u0xxxxxx...
jimzhang$ export KALEIDO_URL=https://console-eu1.kaleido.io
jimzhang$ node app.js 
Found business network "test1" (e1bmvh3zrp)
Found environment "fabric1" (e1bl5l1kji)
Found membership "GlobalX" (e1mjapbs30)
Found Fabric CAs:
	id: e1pq3grn2n, membership: e1mjapbs30
Found these orderers:
	id: e1l3uirjsv, name: o1
Found these peers:
	id: e1gtu2u0xz, name: p1
Successfully enrolled user user01 and saved to /Users/jimzhang/fabric-test/e1bl5l1kji
{
  "client": {
    "organization": "e1mjapbs30",
    "connection": {
      "timeout": {
        "peer": {
          "endorser": 30,
          "committer": 30
        },
        "orderer": 30
      }
    }
  },
  "channels": {
    "default-channel": {
      "orderers": [
        "e1l3uirjsv"
      ],
      "peers": [
        "e1gtu2u0xz"
      ]
    }
  },
  "organizations": {
    "e1mjapbs30": {
      "mspid": "e1mjapbs30",
      "peers": [
        "e1gtu2u0xz"
      ],
      "orderers": [
        "e1l3uirjsv"
      ],
      "certificateAuthorities": [
        "e1pq3grn2n"
      ]
    }
  },
  "peers": {
    "e1gtu2u0xz": {
      "url": "grpcs://e1bl5l1kji-e1gtu2u0xz-peer.eu1-azure-ws.kaleido.io:443",
      "tlsCACerts": {
        "pem": "-----BEGIN CERTIFICATE-----\nMIIBfTCCASOgAwIBAgIUeuf7eqetMHShPSzyBAfGY4XxztcwCgYIKoZIzj0EAwIw\nGzEZMBcGA1UEAxMQZmFicmljLWNhLXNlcnZlcjAeFw0yMTExMjYxMzQ2MDBaFw0z\nNjExMjIxMzQ2MDBaMBsxGTAXBgNVBAMTEGZhYnJpYy1jYS1zZXJ2ZXIwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVnoKLai2ED4sg/9yf5X0Awh8VNc7d6rWJIq0+\nDdjyvcoZt7n+QsfZpF5+44ZvgiUQr79u9/lKIpc8RAr3jyjco0UwQzAOBgNVHQ8B\nAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUhwoUJRynIXuT\nZYuoKcprU1WwuBkwCgYIKoZIzj0EAwIDSAAwRQIhAJs3tEWyhNlWL6lUrKOy9AhJ\n6pSG63X5fKWe3jXpGiMyAiA02zRyKr1OID5exZggqB0evnX5vL1s0/GEDHWL14lH\nvQ==\n-----END CERTIFICATE-----\n"
      }
    }
  },
  "orderers": {
    "e1l3uirjsv": {
      "url": "grpcs://e1bl5l1kji-e1l3uirjsv-orderer.eu1-azure-ws.kaleido.io:443",
      "tlsCACerts": {
        "pem": "-----BEGIN CERTIFICATE-----\nMIIBfTCCASOgAwIBAgIUeuf7eqetMHShPSzyBAfGY4XxztcwCgYIKoZIzj0EAwIw\nGzEZMBcGA1UEAxMQZmFicmljLWNhLXNlcnZlcjAeFw0yMTExMjYxMzQ2MDBaFw0z\nNjExMjIxMzQ2MDBaMBsxGTAXBgNVBAMTEGZhYnJpYy1jYS1zZXJ2ZXIwWTATBgcq\nhkjOPQIBBggqhkjOPQMBBwNCAARVnoKLai2ED4sg/9yf5X0Awh8VNc7d6rWJIq0+\nDdjyvcoZt7n+QsfZpF5+44ZvgiUQr79u9/lKIpc8RAr3jyjco0UwQzAOBgNVHQ8B\nAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUhwoUJRynIXuT\nZYuoKcprU1WwuBkwCgYIKoZIzj0EAwIDSAAwRQIhAJs3tEWyhNlWL6lUrKOy9AhJ\n6pSG63X5fKWe3jXpGiMyAiA02zRyKr1OID5exZggqB0evnX5vL1s0/GEDHWL14lH\nvQ==\n-----END CERTIFICATE-----\n"
      }
    }
  },
  "certificateAuthorities": {}
}
Calling "InitLedger" (y/n)? ^C
Generating a random asset ID to use to create a new asset: asset-792498

--> Submitting Transaction. fcn: CreateAsset, args: asset-792498,yellow,5,Tom,1300

Are you using the sample app as-is or wrote your own client code? Note that the sample code turned off server TLS verification:

    const caClient = new FabricCAClient(`${caUrl}:443`, { verify: false });

From the error you are seeing it's likely that you set verify to true but failed to provide a proper TLS CA cert

@lcvalves
Copy link
Author

Are you using the sample app as-is or wrote your own client code? Note that the sample code turned off server TLS verification:

    const caClient = new FabricCAClient(`${caUrl}:443`, { verify: false });

From the error you are seeing it's likely that you set verify to true but failed to provide a proper TLS CA cert

Regarding that, I forgot to mention that I'm using the golang sample app as-is, no changes whatsoever (hence the ./kfg command on the issue's title). That being said, here's some more info about the environment that I'm running this app on:

System

  • Windows 10 Enterprise 20H2 + Ubuntu 20.04 on WSL2
  • go version go1.17.3 linux/amd64

Kaleido Network/Env Config

  • Memberships (2 Orgs + system)
    • org01 (Self Signed Identity)
      • org01-ord Orderer Node
      • org01-p1 Peer Node
    • org02 (Identity not confirmed)
      • (No nodes on this one, I'm using the Starter Plan of Kaleido so I only have access to 2 small nodes)

Chaincode

  • I'm using a Fabric Golang chaincode binary built from the asset-transfer-basic chaincode in Hyperledger's fabric-samples repo. Got this binary from running go build -o assetTransfer_v1.bin in the fabric-samples/asset-transfer-basic/chaincode-go directory.
  • The chaincode is being deployed to the default-channel.
  • --init-required paramenter is disabled both in the Kaleido platform as well as the sample app's env variable INIT_CC=false

I've tried downloading the MSP CA certificate from Kaleido and replacing both the golang/resources/kaleido_ca.pem & the ca.pem certs automatically created on the kaleido-fabric-go/(env_ID)/nodeMSP/(node_ID) folders with it but I get the same log output.

I'm guessing the TLS verification you mentioned is on config-builder.go, however I can't seem to find what specifically needs to be changed in order for it to properly work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update kaleido_ca.pem kaleido-io/kaleido-fabric-samples
2 participants
@jimthematrix @lcvalves