I am trying to Maintain the High Availability (HA) of the Certificate Authority (CA) server (Without using the Container orchestration Technique like K8). To achieve that, I used the YAML anchor and merge syntax. Both containers run and listen to the server port. The Problem here arises is, Only one server works as expected as previous as a normal, and another replicated using merge and anchor is not working. It throws an error while sending a request to the replicated server using SDK. I performed enrollAdmin operation using enrollAdmin.js provided by fabcar (sample provided by hyperledger fabric). The error code is as below :
gopal@gopal:~/Dappdev/first/fabric-samples/fabcar/javascript$ node enrollAdmin.js
Wallet path: /home/gopal/Dappdev/first/fabric-samples/fabcar/javascript/wallet
Enroll the admin user, and import the new identity into the wallet
2021-01-12T08:42:03.572Z - error: [FabricCAClientService.js]: Failed to enroll admin, error:%o message=Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
], stack=Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
]
at ClientRequest.request.on (/home/gopal/Dappdev/first/fabric-samples/fabcar/javascript/node_modules/fabric-ca-client/lib/FabricCAClient.js:487:12)
at ClientRequest.emit (events.js:198:13)
at TLSSocket.socketErrorListener (_http_client.js:401:9)
at TLSSocket.emit (events.js:198:13)
at errorOrDestroy (internal/streams/destroy.js:107:12)
at onwriteError (_stream_writable.js:436:5)
at onwrite (_stream_writable.js:461:5)
at _destroy (internal/streams/destroy.js:49:7)
at TLSSocket.Socket._destroy (net.js:614:3)
at TLSSocket.destroy (internal/streams/destroy.js:37:8)
Failed to enroll admin user "admin": Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
]
gopal@gopal:~/Dappdev/first/fabric-samples/fabcar/javascript$
Additionally, to explain more, I am adding CA configuration file as below.
version: '2'
networks:
byfn:
services:
ca0: &name-me
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/key.pem -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_server01
networks:
- byfn
# Replicated CA
ca01:
<<: *name-me # <- this is a merge (<<) with an alias (*name-me)
# keys below merge notation override those that declared under anchor
# so this:
ports:
- "8054:8054"
container_name: ca_server02
environment:
- FABRIC_CA_SERVER_PORT=8054
Further more, to confirm the configuration, I have added a connection profile for this CA.
"certificateAuthorities": {
"ca.org1.example.com": {
"url": "https://localhost:8054",
"caName": "ca-org1",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nMIICUDCCAfegAwIBAgIQWmpv94Te6dBKBjMEJrZ/RDAKBggqhkjOPQQDAjBzMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy\nYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu\nb3JnMS5leGFtcGxlLmNvbTAeFw0yMDEyMDQwODI1MDBaFw0zMDEyMDIwODI1MDBa\nMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMRwwGgYDVQQD\nExNjYS5vcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvhAwa7BeZTdV+Sevx0LEg+dptt1GIaQpukOhiEGmstF7Re8okIQXhQw/WjTVWlv8\nGccHPcoUuVe6nBklpHEL/qNtMGswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQG\nCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCBJ\n/ICyRsXWQVxtcPI0+8+ZtAYHGXb0z4VBd5yvvmv64zAKBggqhkjOPQQDAgNHADBE\nAiBYadQuHePis5gPkEoLR3yVaYzEADap31XcSg9P1L6akAIgMoxWuq58zpQrIY0X\nh4zC6aHdSt2u4hJtXLB+8JNzVy8=\n-----END CERTIFICATE-----\n"
},
"httpOptions": {
"verify": false
}
}
Is there a better way to solve this issue of replicated docker container not working for CA server replication?
Above problem of not working of replicated container of CA server is solved by adding the environment variable on replicated container as below :
services:
ca0: &name-me
#ca0:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/key.pem -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_server01
networks:
- byfn
# Replicated CA
ca01:
<<: *name-me # <- this is a merge (<<) with an alias (*name-me)
# keys below merge notation override those that declared under anchor
# so this:
ports:
- "8054:8054"
container_name: ca_server02
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=8054
In this way, replicated container of CA server works.