peers not joining channel and error with TLS connection (IP SANs error)
I was trying below architecture in fabric where one peer is on another machine rest of the network set up in first machine(server/system),
after creating channel while adding each peer to the channel shows a log as below which was not the case when i tried sample network, the log used to say peer joined to channel, also when i check the logs of peer it says :
2018-02-28 06:51:23.916 UTC [ConnProducer] NewConnection -> ERRO 36b Failed connecting to 138.68.138.161:7050 , error: x509: cannot validate certificate for 138.68.138.161 because it doesn't contain any IP SANs
The network is tls enabled , tls certificates are provided and environment variables were set.
Channel-setup.sh
# Channel creation
echo "========== Creating channel: "$CHANNEL_NAME" =========="
#peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt$
# peer0.org1 channel join
echo "========== Joining peer0.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]$
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$
# peer1.org1 channel join
echo "========== Joining peer1.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]$
export CORE_PEER_ADDRESS=peer1.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
# peer0.org2 channel join
echo "========== Joining peer0.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/[email protected]$
export CORE_PEER_ADDRESS=peer0.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$
# peer1.org2 channel join
echo "========== Joining peer1.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/[email protected]$
export CORE_PEER_ADDRESS=peer1.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
The reason for your problem, is that the TLS certificate(s) don't contain IP SANs (IP subject alternative names). This is a field in the TLS certificate that basically says: "The certificate was issued to a host that its IP is: <1.2.3.4>"
In case you generated the certificates using cryptogen of version v1.0, it doesn't support adding IP SANs into the certificate. However, cryptogen of version v1.1 does support it, so if you use it - you'll have IP SANs in the TLS certificates.
Another way of solving your problem, is using hostnames (DNS names) instead of IP addresses, and using any version of cryptogen. If you do that - the certificate would contain DNS SANs (all version of cryptogen encode DNS SANs in the certificates).
- Configuring https on lighttpd
- Kestrel ignores certificate configuration in code
- How to set custom domain in Nexus Repo without port in URL
- Unable to find valid certification path to requested target - error even after cert imported
- Certificate Rebind in IIS 10 using powershell
- How to import a zscaler certificate into Git
- ERR_CERT_REVOKED only on Smartphones (connection is not secure)
- curl: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate
- Puppet after 5 years, when certificates expire?
- Python - requests.exceptions.SSLError - dh key too small
- SSL error unsafe legacy renegotiation disabled
- "SSL certificate verify failed" using pip to install packages
- Spring 5 WebClient using ssl
- Gitlab doesn't loads new ssl cert and key
- Jetty Invalid SNI issue even when certificate is correct
- SSL on JBOSS AS 7
- "aborting due to insecure configuration" while configuring TLS on Rust rocket server
- How to wrap net.Conn.Read() in Golang
- " An operation was attempted on something that is not a socket" when I try to add SSL authentication
- Error Importing SSL certificate : Not an X.509 Certificate
- SSL verification error at depth 0: unable to get local issuer certificate (20)
- Keycloak SSL setup using docker image
- Make OpenSSL accept expired certificates
- .NET Framework equivalent of IApplicationBuilder.UseForwardedHeaders()
- Setting up SSL on a local xampp/apache server
- Problem when installing Python from source, SSL package missing even though openssl installed
- NGINX to reverse proxy websockets AND enable SSL (wss://)?
- Is it safe sharing Self-signed certificate to other persons?
- curl - Is data encrypted when using the --insecure option?
- SSL certificate installation on Wildfly server