Search code examples
dockerhyperledger-fabrichyperledgerblockchainhyperledger-fabric-ca

How to start intermediate ca using docker-compose?

The steps which I have followed:

1) started the fabric with 1-ca(which is root ca), 1-orderer, 1-peer and 1-couchdb

2) I attached the shell to ca which is root and fire the 2 commands to register the intermediate ca. 

  fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
  fabric-ca-client register --id.name ica --id.attrs '"hf.Registrar.Roles=user,peer",hf.Revoker=true,hf.IntermediateCA=true' --id.secret icapw

3) I started the ca1 container as follows:

services:
  ca1.example.com:
    image: hyperledger/fabric-ca:x86_64-1.1.0
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_PORT=8054
      - FABRIC_CA_SERVER_CA_NAME=ca1.example.com
    ports:
      - "8054:8054"
    command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://ica:icapw@ca.example.com:7054'
    container_name: ca1.example.com
    networks:
      - basic

But it always creates default certificates so I removed all from container and then fire start command again and when I try to enroll admin using that intermediate ca it gives me following error:

signed certificate with serial number 619423114660023963149266564884451731119475746692
ca1.example.com    | 2018/09/20 06:38:53 [INFO] 127.0.0.1:47144 POST /enroll 500 0 "Certificate signing failure: Failed to insert record intodatabase: attempt to write a readonly database"

I am unsure about the process I followed. So suggest me the exact steps to follow and if the steps are correct then the cause of this error.

I have followed the documentation : https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.htm

Solution

  • Lets say you have a Root Fabric-CA ( lets call it RCA) server up and running.

    As per my understanding, you are trying to start an Intermediate Fabric-CA server which would be attached to the RCA above.

    What I tried is the following.

    version: '2'
networks:  fabric-ca:

services:

ica:
container_name: ica
image: hyperledger/fabric-ca
command: /bin/bash -c '/scripts/start-intermediate-ca.sh 2>&1 | tee /data/logs/ica.log'
environment:
  - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
  - FABRIC_CA_SERVER_CA_NAME=ica
  - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/data/rca-ca-cert.pem
  - FABRIC_CA_SERVER_CSR_HOSTS=ica
  - FABRIC_CA_SERVER_TLS_ENABLED=true
  - FABRIC_CA_SERVER_DEBUG=true
  - BOOTSTRAP_USER_PASS=ica-admin:ica-adminpw
  - PARENT_URL=https://rca-admin:rca-adminpw@rca:7054
  - TARGET_CHAINFILE=/data/ica-ca-chain.pem
volumes:
  - ./data:/data
  - ./scripts:/scripts
  - ./data/fabric_ca_test/ica:/etc/hyperledger/fabric-ca
networks:
  - fabric-ca
ports:
  - 10.10.10.101:7055:7054

    Note the use of the script start-intermediate-ca.sh 

    #!/bin/bash
#
set -e

# Initialize the intermediate CA
fabric-ca-server init -b $BOOTSTRAP_USER_PASS -u $PARENT_URL

# Copy the intermediate CA's certificate chain to the data directory to be used by others
cp $FABRIC_CA_SERVER_HOME/ca-chain.pem $TARGET_CHAINFILE

# Start the intermediate CA
fabric-ca-server start --config $FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml

    This is also available in an example which is present in the Hyperledger Fabric Examples. Fabric CA Samples in fabric-samples github Repository

    Go through it. Its a comprehensive example.

    You should be able to tweak it a bit to handle your scenario.