1

i'm having issues deploying composer on top of a multi org, multi peer network. My network has two CA's, one order and six peers (two per org).

The network uses TLS, which is giving me some issues. When running composer network ping -n network2 -p org1 -i user -s pass

i am receiving SSL errors; E0913 16:54:49.855499904 120141 ssl_transport_security.c:921] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

E0913 16:54:49.864638248 120141 ssl_transport_security.c:921] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

E0913 16:54:49.865108661 120141 ssl_transport_security.c:921] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

E0913 16:54:49.865506771 120141 ssl_transport_security.c:921] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

Error: Error trying to ping. Error: Error trying to query chaincode. Error: Connect Failed Command failed

Here is my connection file;

{ "type": "hlfv1", "name": "org1", "orderers": [ { "url" : "grpcs://localhost:7050", "cert" : "-----BEGIN CERTIFICATE-----removed-----END CERTIFICATE-----\n" } ], "ca": { "url": "http://localhost:7054", "name": "ca_peerOrg1", "trustedRoots": [""], "verify": true }, "peers": [ { "requestURL": "grpcs://localhost:7051", "eventURL": "grpcs://localhost:7053", "cert" : "-----BEGIN CERTIFICATE-----removed-----END CERTIFICATE-----\n" }, { "requestURL": "grpcs://localhost:8051", "eventURL": "grpcs://localhost:8053", "cert" : "-----BEGIN CERTIFICATE-----removed-----END CERTIFICATE-----\n" } ], "keyValStore": "/home/paul/.composer-credentials", "channel": "mychannel", "mspID": "Org1MSP", "timeout": "300", "globalcert": "", "maxSendSize": -1, "maxRecvSize": -1 }

The value of cert matches the contents of the .pem file used to start the CA (sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem)

Any ideas how i get this working with TLS? none of the composer commands are working, they are all giving me the same errors

Paul X
  • 63
  • 5

1 Answers1

0

If you used cryptogen to generate your certificates then there will be tls folders for your organisations which will contain the public certificate you need to put into the connection profile. The certificate you use for the CA configuration is not the correct certificate to use.

david_k
  • 5,843
  • 2
  • 9
  • 16
  • Thanks @david_k, i have tried changing the certificates and it does seem to help however i am now receiving different errors relating to the use of localhost in the GRPC connection profile. Composer is throwing an error that the certificate is not valid for localhost. I have tried changing the conffig to reference the container names (eg: grpc://peer0.org1.example.com:7051) but i'm receiving some strange DNS errors with GRPC calls. – Paul X Sep 14 '17 at 10:07
  • I can see the error message 'Using native dns resolver' when using the container name from a connection profile (eg: "requestURL": "grpc://peer0.org1.example.com:7051"). This works when changing to grpc://localhost:7051, but this gives me certificate errors. Im thinking that this is an error with docker? – Paul X Sep 14 '17 at 10:09
  • you probably need to make use of hostnameOverride option in the connection profile. for example orderers: [ { url: 'grpcs://localhost:7050', hostnameOverride: 'orderer.example.com', cert:...' } ] – david_k Sep 14 '17 at 20:44