0

I am running a hyperledger network (1.3) consisting of 3 orgs. TLS is enabled on all components (so also the peer nodes).

I am using the fabric-go-sdk to trigger transactions.

In the log files of the fabric sdk I often get the following errors: [...]certificate signed by unknown authority[...]

This seems to happen when the sdk (that was initialized for peers of my own org) tries to contact other nodes on the network where it does not know the correct tls certificate.

I also understood, that the sdk starts a discovery service and tries to discover additional peers (e.g. peers of a channel).

But how does my sdk retrieve the tls ca certificates of these peers to be able to contact them?

What I found out so far is, that in the discovery service of the sdk there is a function that transform discovered peers to a PeerConfig by calling the PeerConfig() method :

func asPeer(ctx contextAPI.Client, endpoint *discclient.Peer){
 // ....
 peerConfig, found := ctx.EndpointConfig().PeerConfig(url)
 // ....
}

But the PeerConfig function also has no idea what the tls ca cert of the discovered peer is and so cannot create a correct PeerConfig object by only looking at the provided url.

What is the correct way configuring my sdk to be able to speak to other peers? Where does the sdk get the tls ca certificates of the other orgs? Are they beeing discovered at all? Or do I have to provide them manually?

Subby
  • 1,997
  • 4
  • 22
  • 38

1 Answers1

1

@Subby Don't be confused with all stuff

Org1 - org1CA

Org2 - org2CA

IF go-sdk has profile contains both organizations then you have to mention tlsca cert of appropriate organizations peers

It's your responsibility to mention correct tlsca certs Nothing to do with service discovery 

a certificate signed by unknown authority >>> means wrong certificate which is signed by an untrusted certificate authority

All you need to do is mention tlsca cert of appropriate peer of appropriate org

Coming to the Service Discovery

The rule of thumb is you must need at least one peer to discover other peers, so the application will use this peer to discover other peers

Note: You must configure 

- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051

check the sample discovery result http://ideone.com/UmM0cK

Narendranath Reddy
  • 3,833
  • 3
  • 13
  • 32
  • But then I don't understand: https://hyperledger-fabric.readthedocs.io/en/release-1.4/discovery-overview.html that says: >> [...] SDK needs a lot of information in order to allow applications to connect to the relevant network nodes. In addition to the CA and TLS certificates [...] Prior to v1.2, this information was statically encoded. However, this implementation is not dynamically reactive to network changes << For me this means, discovery service does eactly this (discover peers and their certificates) – Subby Aug 28 '19 at 14:08
  • Check this >>> The application is bootstrapped knowing about a group of peers which are trusted by the application developer/administrator to provide authentic responses to discovery queries. A good candidate peer to be used by the client application is one that is in the same organization. Note that in order for peers to be known to the discovery service, they must have an EXTERNAL_ENDPOINT defined. To see how to do this, check out our Service Discovery CLI documentation. – Narendranath Reddy Aug 28 '19 at 14:12
  • Ok, so if I understand this correctly: If my sdk wants to talk to other peers that have tls enabled there is no automatic mechanism. I have to provide this information manually and if new orgs join I have to update my sdk configuration? So there is no dynamic discovery of peer certificates? The discovery service just discover which peers are available or in what channel etc... nothing more? – Subby Aug 28 '19 at 14:19
  • Its there but you have to start with peers which are trusted by the application developer/administrator to provide authentic responses to discovery queries. discovery works for the rest of the peers – Narendranath Reddy Aug 28 '19 at 14:26
  • Sorry, now I am confused. Are you saying that service discovery does also discovery tls certificates of peers that belong to other orgs or not? So do I only have to mention tls certs of my own "entry"-peers, or all peers / orgs? My own peers are well known to the sdk and also the tls certificate of my own peers work as expected. – Subby Aug 28 '19 at 14:32
  • 1
    Yeah it will give the cert check this >>> http://ideone.com/UmM0cK sample output of discovery result Read this https://hyperledger-fabric.readthedocs.io/en/release-1.4/discovery-cli.html – Narendranath Reddy Aug 28 '19 at 15:44
  • If I answer to your question could you mark as answered? – Narendranath Reddy Aug 28 '19 at 18:26
  • Sure, if you rewrite it a little bit. It is kind of missleading, when you say it is my responsibility to provide correct tls certificates. But than you say that they are indeed discovered except the initial ones of my own peers. – Subby Aug 28 '19 at 19:37
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/198631/discussion-between-narendranath-reddy-and-subby). – Narendranath Reddy Aug 29 '19 at 06:41