Search code examples
sslcertificatehyperledger-fabricdocker-swarm

Certificate problems on Hyperledger Fabric blockchain network deployed with Swarm

I've come across this particular problem when deploying a very simple blockchain network on Docker Swarm using the Hyperledger Fabric v1.4.4. It has 2 organizations (2 peers each), 5 orderers (Raft consensus), 2 CA (one for each organization), and 4 couchDB (1 por each peer).

The problem occur when I try to join the peers to the channels that I just created. The message that shows on the terminal:

Error: error getting endorser client for channel: endorser client failed to connect to peer0org1:7051: failed to create new connection: context deadline exceeded

And when I go through the logs on that peer I see a message that caught my attention:

createTransport -> DEBU 13c grpc: addrConn.createTransport failed to connect to {peer1car1:8051 0 }. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for peer1.org1, peer1, not peer1org1". Reconnecting...

And an actual error message:

UTC [core.comm] ServerHandshake -> ERRO 1b9 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=10.0.2.7:50504

Then I started looking on the crypto-config.yaml file and the docker-compose.yaml used to deploy my stack. On the crypto-config.yaml file, I declared de Domain key as "org1" and as you can see on the logs the certificate is valid for peer1org1. But here is the problem, when I declare a service name of "peer0.org1" I get an error from Swarm saying that it's an invalid name.

I know, I know. The message in the log is for another peer but is there a change it is related the this issue I'm having? Any ideas on how to resolve it?

On another subject: I'm new to the container orquestration world and would like to know your opnions. Would you use Kubernetes or Swarm to deploy a Hyperledger Fabric blockchain network in production?

Solution

  • The service name as valid in your docker network (I assume it is peer1org1) needs to be present in the TLS certificate as subject alternate name (SAN). You can specify SANS in crypto-config.yaml as follows:

    PeerOrgs:
  - Name: org1
    Domain: org1
    EnableNodeOUs: true
    Specs:
      - Hostname: peer1
        SANS:
          - "peer1org1"
      - Hostname: peer2
        SANS:
          - "peer2org1"